Upgrade to Pro — share decks privately, control downloads, hide ads and more …

One Weird Kernel Trick: Hijacking IPython Websockets

One Weird Kernel Trick: Hijacking IPython Websockets

Lightning talk at #SciPy2014. Vulnerability disclosure of cross domain websocket hijacking in the IPython notebook. https://twitter.com/rgbkrk/status/487369535456935936

See also: http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython

Kyle Kelley

July 10, 2014

More Decks by Kyle Kelley

Other Decks in Programming


  1. The IPython Notebook • Runs code on your (laptop |

    server | cluster | pi) • From your browser… • JavaScript -> Notebook Server -> Kernel • Kernel.execute
  2. !

  3. Mitigations • Kernel ID is a UUID, randomly generated •

    Using an authenticated notebook server protects you from this issue • Fixed in IPython 1.2+, 2.x series