Replies: 1 comment
-
fwiw, the authorization logic in Crossbar.io for static authorization (eg from permissions in node config file) is here https://github.com/crossbario/crossbar/blob/03d7057ee18a0d1e59b33bf1633ee246c1cf908a/crossbar/router/role.py#L249 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
It's obvious that the meta API presents an attack surface and should only be accessible to authorized peers. What's not so obvious is how to safeguard against pattern-based subscriptions/registrations as an attack vector into gaining access to the meta API.
For example, a dynamic authorizer could block subscriptions to URIs starting with
wamp.
. But what if an unauthorized client does a prefix-based subscription tow
, which would match allwamp.foo.bar
URIs? Or how about a<wildcard>.<wildcard>.on_join
wildcard-based subscription that would matchwamp.session.on_join
?I can't be the first one to have tackled this problem, so if you have strategies you devised for your WAMP apps/implementations, I would very much appreciate any insights.
Beta Was this translation helpful? Give feedback.
All reactions