Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web sockets - Pentesting

339 views

Published on

Web sockets - Pentesting

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Web sockets - Pentesting

  1. 1. WEBSOCKETS A QUICK TOUR
  2. 2. ABOUT ME NEHA BAHETY PENETRATION TESTER & ETHICAL HACKER
  3. 3. WHAT IS THIS TALK ABOUT? What are WebSockets? Why do we need them? How do we use them? Tools used for WebSocket Pentesting. List of Vulnerabilities What limitations do they have
  4. 4. WHAT ARE WEBSOCKETS? WEBSOCKET IS A TECHNOLOGY FOR PROVIDING BI-DIRECTIONAL FULL DUPLEX COMMUNICATION CHANNELS OVER A SINGLE TCP SOCKET.
  5. 5. SIMPLE DEFINITION. IT’S A NEW FEATURE IN HTML5 THAT LET YOU STREAM DATA TO AND FROM WEB BROWSERS.
  6. 6. SOME MORE INFORMATIO N ABOUT WEB_SOCKET
  7. 7. WEB_SOCKET HANDSHAKE
  8. 8. WHY DO WE NEED WEBSOCKETS?? • 1-WebSocket is a naturally full-duplex, bidirectional, single-socket connection. With WebSocket, your HTTP request becomes a single request to open a WebSocket connection and reuses the same connection from the client to the server, and the server to the client. • 2-WebSocket reduces latency. For example, unlike polling, WebSocket makes a single request. The server does not need to wait for a request from the client. Similarly, the client can send messages to the server at any time. This single request greatly reduces latency over polling, which sends a request at intervals, regardless of whether messages are available. • 3-WebSocket makes real-time communication much more efficient. You can always use polling (and sometimes even streaming) over HTTP to receive notifications over HTTP. However, WebSocket saves bandwidth, CPU power, and latency. WebSocket is an innovation in performance
  9. 9. SOME MORE USAGE : • WebSocket is an underlying network protocol that enables you to build other standard protocols on top of it. • WebSocket is part of an effort to provide advanced capabilities to HTML5 applications in order to compete with other platforms. • WebSocket is about Simplicity
  10. 10. HOW DO WE USE THEM??? • What all things required: Webkit: Chrome, Safari(Work on ios) Client Javascript API  Server-Side API
  11. 11. TOOLS USED • Burp can proxy WebSocket Traffic • OWASP ZAP can Proxy and fuzz WebSocket Traffic • Chrome offers a Web Socket client and developer tools(F12) **During Mapping phase look for ws:// or wss:// ** Both Ruby and python support websocket client and servers.
  12. 12. LIST OF VULNERABILITIES WebSockets have been a source of interesting vulnerabilities Apache, Wireshark, Chrome, OpenStack, MessageSight, Firefox, Drupal, Ansible Tower, and others Denial of service, remote code execution, sandbox bypass, and authorization bypass • CVE-2014-0193, CVE-2014-0921, CVE-2014-0922, CVE-2014-1703, CVE-2014- 3165, CVE-2014-3429, CVE-2015-0176, CVE-2015-0228, CVE-2015-0259, CVE- 2015-1244, CVE-2015-1482, CVE-2015-3810, CVE-2015-7197, and CVE-2015-8601
  13. 13. LIMITATIONS ANY GUESSESS???
  14. 14. BIG ONE’S • Not all Browsers support them: Firefox 4, IE9,Opera • WebSockets need maintenance and care: Re-open connif network timeout Back off if server is down  Keep Alive if your connection times out Buffer and resends the message in above cases • Many libraries – including the most popular Ruby one
  15. 15. ATTACKER’S VIEW OF WEBSOCKET • This is a relatively new area of security research New technologies create challenges for defenders • Protocol use might not be properly monitored • Defenders might not even know it is there! Attackers can leverage WebSockets to • attack server side • attack client side • attack parsers • bypass filtering
  16. 16. REFERENCES • https://tools.ietf.org/html/rfc6455 • https://blog.sessionstack.com/how-javascript-works-deep-dive-into-websockets- and-http-2-with-sse-how-to-pick-the-right-path-584e6b8e3bf7 • https://media.blackhat.com/bh-us- 12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides. pdf • https://github.com/interference-security/DVWS • https://github.com/tssoffsec/docker-dvwsocket

×