Packets on the Rise

Saturday, 2006-09-02; 23:37:00


Packet sniffing the data that iWeb sends to the .mac servers when using the commenting system

Today my friend and I spent some more time to figure out this whole .mac commenting thing. After poking around in the JavaScript files some more, duplicating the Add A Comment page and trying to force comments through the system, I finally went back to the most promising place to get more clues -- packet sniffing.

As I said yesterday, the packet sniffing I did via tcpdump wasn't that helpful. It did indicate that something else was going on, though. Instead of tcpdump, this time I went for Ethereal (I installed it via Fink and FinkCommander, which worked flawlessly).

This time, I was much more successful. Instead of the gibberish, Ethereal gave me some useful stuff to work with. (It's possible that tcpdump does the same, and I just don't know how to use it.) The first thing that caught my eye was this:

Ethereal Packet Sniffing

So I now had the full URL to the application ( http://www.mac.com/WebObjects/WSComments.woa/xmlrpc ) that was taking requests, and I had the structure of one of the requests. Ethereal said it was XML over HTTP, so my first thought was to construct a web form that would be able to submit the proper XML to the server. But I didn't know how to exactly send the data in the proper format -- do I send it all as text, using what kind of input HTML tag? Obviously my first few tries didn't work out so well. The app kept giving me back a "faultStringorg.apache.xmlrpc.ParseFailedfaultCode0" failure. No good.

I went back to Ethereal and noted that there were multiple calls to this application. Even before, when I had used tcpdump, there were 5 separate instances where the WSComments URL showed up. Looking back at the specific XML requests in Ethereal showed a few more things that were happening in iWeb. Here are the relevant sections, stripping out the gook

POST /WebObjects/WSComments.woa/xmlrpc HTTP/1.1
User-Agent: DotMacKit/3.0.1L (10.4.7; iweb)
X-Source-Id: VHl0r3o2WAqKrEHdO9VWsQ==
Content-Type: text/xml
Cookie: wosid=0yuynqjZtBoN5oQhgWNru0; woinst=44
Content-Length: 2316
Connection: close
Host: www.mac.com
<?xml version="1.0" encoding="UTF-8"?>
  <methodCall>
    <methodName>comment.setCommentPropertiesForResources</methodName>
    <params>
      <param>
          <value>
            <struct>
              <member>
                <name>timezone</name>
                  <value>
                    <string>US/Pacific</string>
                  </value>
              </member>
              <member>
                <name>visible</name>
                  <value>
                    <string>true</string>
                  </value>
              </member>
              <member>
                <name>allowSubcomments</name>
                  <value>
                    <string>false</string>
                  </value>
              </member>
              <member>
                <name>mutable</name>
                  <value>
                    <string>true</string>
                  </value>
              </member>
              <member>
                <name>allowMedia</name>
                  <value>
                    <string>false</string>
                  </value>
              </member>
              <member>
                <name>dateFormat</name>
                  <value>
                    <string>%A, %B %e, %Y - %I:%M %p</string>
                  </value>
              </member>
              <member>
                <name>moderated</name>
                  <value>
<string>false</string>
                  </value>
              </member>
              <member>
                <name>lang</name>
                  <value>
                    <string>English</string>
                  </value>
              </member>
              <member>
                <name>appid</name>
                  <value>
                    <string>iweb</string>
                  </value>
              </member>
            </struct>
          </value>
      </param>
      <param>
          <value>
            &#60;array&#62;
              <data>
                <value>
                  <string>/simx/Web/Sites/iWeb/Sito/Blog/57B6EF51-6005-4EC4-9F66-FC17CEFB0FA6.html</string>
                </value>
              </data>
            &#60;/array&#62;
          </value>
      </param>
    </params>
  </methodCall>
POST /WebObjects/WSComments.woa/xmlrpc HTTP/1.1
User-Agent: DotMacKit/3.0.1L (10.4.7; iweb)
X-Source-Id: VHl0r3o2WAqKrEHdO9VWsQ==
Content-Type: text/xml
Cookie: wosid=0yuynqjZtBoN5oQhgWNru0; woinst=44
Content-Length: 472
Connection: close
Host: www.mac.com
<?xml version="1.0" encoding="UTF-8"?>
  <methodCall>
    <methodName>comment.indexComments</methodName>
    <params>
      <param>
          <value>
            &#60;array&#62;
              <data>
                <value>
                  <string>/simx/Web/Sites/iWeb/Sito/Blog/57B6EF51-6005-4EC4-9F66-FC17CEFB0FA6.html</string>
                </value>
              </data>
            &#60;/array&#62;
          </value>
      </param>
    </params>
  </methodCall>
POST /WebObjects/WSComments.woa/xmlrpc HTTP/1.1
User-Agent: DotMacKit/3.0.1L (10.4.7; iweb)
X-Source-Id: VHl0r3o2WAqKrEHdO9VWsQ==
Content-Type: text/xml
Cookie: wosid=0yuynqjZtBoN5oQhgWNru0; woinst=44
Content-Length: 128
Connection: close
Host: www.mac.com
<?xml version="1.0" encoding="UTF-8"?>
  <methodCall>
    <methodName>comment.terminateSession</methodName>
  </methodCall>
POST /WebObjects/WSComments.woa/xmlrpc HTTP/1.1
User-Agent: DotMacKit/3.0.1L (10.4.7; iweb)
X-Source-Id: VHl0r3o2WAqKrEHdO9VWsQ==
Content-Type: text/xml
Cookie: wosid=o45ULgT8bUGRvdEdlHOOlw; woinst=52
Content-Length: 371
Connection: close
Host: www.mac.com
<?xml version="1.0" encoding="UTF-8"?>
  <methodCall>
    <methodName>comment.changeTagForComments</methodName>
    <params>
      <param>
          <value>
            <string>iweb</string>
          </value>
      </param>
      <param>
          <value>
            <string>simx</string>
          </value>
      </param>
    </params>
  </methodCall>
POST /WebObjects/WSComments.woa/xmlrpc HTTP/1.1
User-Agent: DotMacKit/3.0.1L (10.4.7; iweb)
X-Source-Id: VHl0r3o2WAqKrEHdO9VWsQ==
Content-Type: text/xml
Cookie: wosid=o45ULgT8bUGRvdEdlHOOlw; woinst=52
Content-Length: 594
Connection: close
Host: www.mac.com
<?xml version="1.0" encoding="UTF-8"?>
  <methodCall>
    <methodName>comment.commentIdentifiersSinceChangeTag</methodName>
    <params>
      <param>
          <value>
            <string>30</string>
          </value>
      </param>
      <param>
          <value>
            &#60;array&#62;
              <data>
                <value>
                  <string>/simx/Web/Sites/iWeb/Sito/Blog/57B6EF51-6005-4EC4-9F66-FC17CEFB0FA6.html</string>
                </value>
              </data>
            &#60;/array&#62;
          </value>
      </param>
    </params>
  </methodCall>


There are 5 separate calls to the xmlrpc application. The first calls the "comment.setCommentPropertiesForResources" method, the second "comment.indexComments", the third "comment.terminateSession", the fourth "comment.changeTagForComments", and the last is "comment.commentIdentifiersSinceChangeTag". These are clearly the methods that manipulate comments inside the system, which means that I'm going to have to replicate these XML calls that iWeb does if I want to use the .mac commenting system -- which means that I'll have to run an AppleScript manually after I publish each time to tell .mac that there's a new entry at a certain URL, assuming that I do end up using the .mac commenting system.

My friend was fiendishly sending me various URLs throughout this whole ordeal. Earlier, he had given me some links to help figure out how to structure a web form that would submit the proper URL. But then he sent me this URL from Apple's developer documentation. Sweet! A way to send XML requests via AppleScript! My favorite!

Using the raw XML requests above, we quickly created this AppleScript that replicates all five XML requests in succession:

tell application "http://www.mac.com/WebObjects/WSComments.woa/xmlrpc"
        return call xmlrpc {method name:"comment.setCommentPropertiesForResources", parameters:{{timezone:"US/Pacific", visible:"true", allowSubcomments:"false", mutable:"true", allowMedia:"false", dateFormat:"%A, %B %e, %Y - %I:%M %p", moderated:"false", lang:"English", appid:"iweb"}, {"/simx/test.html"}}}
        
        call xmlrpc {method name:"comment.indexComments", parameters:{{"/simx/test.html"}}}
        
        call xmlrpc {method name:"comment.terminateSession"}
        
        call xmlrpc {method name:"comment.changeTagForComments", parameters:{"iweb", "simx"}}
        
        call xmlrpc {method name:"comment.commentIdentifiersSinceChangeTag", parameters:{"30", {"/simx/test.html"}}}
end tell


There are two small problems. One: "visible" is a special word in the AppleScript language, so instead of sending the word "visible" as a name of a member in the struct of the XML request, it modifies it so that the name is "pvis" and moving that member of the struct to the top, rather than in second position where it should be.

First question: is there a way to escape special words in the AppleScript language? There's this message on the Apple mailing list that suggests there's a different way to get the name "visible" into an XML request, but I'm not exactly sure what the solution means and/or how to use it in an AppleScript. Can anybody offer a little help?

Regardless of this problem, there's another more fundamental problem. When running this AppleScript, I get an "org.apache.xmlrpc.XmlRpcException: Session not found. Re-authenticate" error. This implies that there needs to be some authentication to the mac.com server first. And indeed, looking back in the packet sniffing record, these packets appear right before the first request to the xmlrpc application:

1232 17.899014   10.0.1.50             17.250.248.32         TCP      56392 > https [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1460 WS=3 TSV=5833819 TSER=0
1233 17.914115   17.250.248.32         10.0.1.50             TCP      https > 56392 [SYN, ACK] Seq=0 Ack=1 Win=8190 Len=0 MSS=1460
1234 17.914255   10.0.1.50             17.250.248.32         TCP      56392 > https [ACK] Seq=1 Ack=1 Win=65535 Len=0
1235 17.915242   10.0.1.50             17.250.248.32         TLS      Client Hello
1236 17.933632   17.250.248.32         10.0.1.50             TLS      Server Hello, Change Cipher Spec, Encrypted Handshake Message
1237 17.933757   10.0.1.50             17.250.248.32         TCP      56392 > https [ACK] Seq=125 Ack=123 Win=65535 Len=0
1238 17.935355   10.0.1.50             17.250.248.32         TLS      Change Cipher Spec
1239 17.935425   10.0.1.50             17.250.248.32         TLS      Encrypted Handshake Message
1240 17.936201   10.0.1.50             17.250.248.32         TLS      Application Data
1241 17.936506   10.0.1.50             17.250.248.32         TLS      Application Data
1242 17.954101   17.250.248.32         10.0.1.50             TCP      https > 56392 [ACK] Seq=123 Ack=131 Win=8190 Len=0
1243 17.954561   17.250.248.32         10.0.1.50             TCP      https > 56392 [ACK] Seq=123 Ack=168 Win=8190 Len=0
1244 17.960090   17.250.248.32         10.0.1.50             TCP      https > 56392 [ACK] Seq=123 Ack=407 Win=8190 Len=0
1245 17.960555   17.250.248.32         10.0.1.50             TCP      https > 56392 [ACK] Seq=123 Ack=798 Win=8190 Len=0
1246 17.968540   17.250.248.32         10.0.1.50             TLS      Application Data
1247 17.968607   10.0.1.50             17.250.248.32         TCP      56392 > https [ACK] Seq=798 Ack=592 Win=65535 Len=0
1248 17.968678   17.250.248.32         10.0.1.50             TLS      Encrypted Alert
1249 17.968713   10.0.1.50             17.250.248.32         TCP      56392 > https [ACK] Seq=798 Ack=616 Win=65535 Len=0
1250 17.970234   10.0.1.50             17.250.248.32         TLS      Encrypted Alert
1251 17.972006   10.0.1.50             17.250.248.32         TCP      56392 > https [FIN, ACK] Seq=821 Ack=616 Win=65535 Len=0
1253 17.988768   17.250.248.32         10.0.1.50             TCP      https > 56392 [ACK] Seq=616 Ack=821 Win=8190 Len=0
1254 17.988834   17.250.248.32         10.0.1.50             TCP      https > 56392 [ACK] Seq=616 Ack=822 Win=8190 Len=0


These look like a secure authentication request over the HTTP protocol to me.

Second question(s): Where is the authentication request sent, and what authentication credentials does it send? My .mac username and password? And how do subsequent xmlrpc calls use the result of that authentication request so that the WSComments.woa WebObjects application doesn't refuse their calls? Is there a way to sniff even these packets to get at that data? Can I use AppleScript to execute the authentication request?

Gah. So close, it seems. Just an https and a stupid AppleScript word away from being able to use .mac commenting outside of iWeb.


Technological Supernova   Tips   Older   Newer   Post a Comment