Security #8586
closedwebsocket: MASK flag not validated by direction
Description
- Summary
The WebSocket parser accepts any combination of MASK flag and direction. RFC 6455 section 5.1 requires client-to-server frames to be masked and server-to-client frames to not be masked.
- Affected Code
Files: `rust/src/websocket/parser.rs:48-97`, `rust/src/websocket/websocket.rs`
- Impact
This enables two evasion vectors:
1. A server injects masked frames with payload that a real browser would discard; Suricata de-XORs and feeds content to the detector that the client never processes.
2. A client sends unmasked frames; Suricata accepts what the real server would close with 1002 Protocol Error.
- Suggested Fix
Track connection direction and validate the mask flag accordingly.
- Environment
Suricata main branch @ commit 367ca7f (post v8.0.1, May 15, 2026).
- Credit
Reported by Chris Ramos.
PA Updated by Philippe Antoine 17 days ago
- Related to Bug #5279: nom: use of count combinator can use too much memory added
PA Updated by Philippe Antoine 17 days ago
- Related to deleted (Bug #5279: nom: use of count combinator can use too much memory)
PA Updated by Philippe Antoine 17 days ago
I think it is good to have the relaxed parsing as now
JF Updated by Juliana Fajardini Reichow 11 days ago
- Status changed from New to Triaged
JF Updated by Juliana Fajardini Reichow 5 days ago
- Status changed from Triaged to Rejected
- Assignee deleted (
OISF Dev) - Target version deleted (
TBD)
Rejecting as we understand that relaxed parsing is the way to go.
JF Updated by Juliana Fajardini Reichow 5 days ago
- Private changed from Yes to No