Vulnerability Development mailing list archives
Re: WAP & HTTP->WTP
From: Vitaly Osipov <vos () TELENOR CZ>
Date: Wed, 4 Oct 2000 17:40:18 +0200
AFAIK this works a bit different way, so I'll make notes below: ----- Original Message ----- From: "Roelof Temmingh" <roelof () SENSEPOST COM> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Wednesday, October 04, 2000 1:31 AM Subject: WAP & HTTP->WTP
The way I understand how WAP works is as follows: 1. Phone connects to a normal RAS service (NT RAS,Shiva, whatever) via
PPP. seems like it should be RADIUS only - at least I was not abole to connect via NT RAS
2. Phone sends request (WTP) to WAP gateway on UDP port 9201
or actually there is a range 9201-9210, but mostly used are 9201 and 9202 - connectionless service and somewhat connection-oriented one
3. WAP GW connects HTTP/HTTPS to a webserver
yes, over good old Internet
(4). WAP GW possibly changes some HTML into WML
it's the most common mistake - the main task of a gateway is to convert text representation of WML into some byte-code representation (all the specs are available at wapforum site - www.wapforum.com) Only some gateways (very few) can do translation from HTML to WML as an option, mostly such reformatting is don on the web server itself (sometimes when I browse Yahoo! news on mobile phone, I get "reformatting engine unavailable" messages :) )
5. GW responds (WTP) (either native or converted) to the phone - UDP
again. in particular it sends that byte-code representation of WML page to the handset.
The request the user enters on the phone is normal URLs. Let us assume
that
the user is asking for something like: http://target/iissamples/issamples/query.asp. Let us assume that the GW converts the HTML response to WML (is this right?). The phone now gets the response in WML and the user can run
searches. rare thing as I said.. but I guess you can find some reformatting gateways and use them if you want, so e.g you can browse asp source code in a previous example (if the victim's host is on unpatched IIS, which displays asp source when a dot is added to script name)
Let us take it a bit further. Let us assume that the server (the
webserver) has
many exploitable CGIs etc., and I want to scan these - but the webserver
is
only accessible via the WAP GW. What I need is a reverse WAP GW so that
almost all wap servers do not have any restrictions on connections from anywhere, so you can scan as usual. And if it is restricted to talk only to a gateway (which is strange, because it then can be used only with specific gateway, that is, with specific operator), you have very small probability that this gateway is translating HTML to WML, so your scenario is higly improbable...
the complete picture looks like this: [scanner]<--HTTP(TCP)-> [converter (reverse WAP GW)]<--WTP(UDP)--> [WAP GW]<--HTTP(TCP)-> [webserver] Am I right in saying that this is possible? Has anyone experience with
this? Is
there a HTTP->WTP and HTML->WML converter?
there are converters HTML<->WML, but WTP is not a parallel of HTTP, but of TCP - transport level protocol, not application (actually when used on GSM data connections, it is just UDP, but it can be implemented even over SMS :) )
Another question. I downloaded a few WAP emulators. Nice..but the problem is that these emulators also acts as a WAP GW. That is - should you
monitor they do not, they just connect to the server and get text representation of WML pages, skipping the part of encoding/decodig it to the bytecode representation
network traffic going out of the emulator you should see normal HTTP
traffic -
it does not use a WAPGW (it seems builtin, or it only supports native WML sites). Is there a WAP emulator that can make use of an (external) WAPGW
as
the real phones does?
try Nokia Wap toolkit - at forum.nokia.com - very nice thing, it once helped me to resolve some terrible problem with nokia gateway, it can do whatever you want and display all transaction flow plus conpiled bytecode etc... regards, Vitaly.
Current thread:
- WAP & HTTP->WTP Roelof Temmingh (Oct 03)
- Re: WAP & HTTP->WTP Vitaly Osipov (Oct 05)
- SV: WAP & HTTP->WTP Stefan Sundkvist (Oct 05)