Ihor Bliumental - WebSockets

OWASP Kyiv
OWASP Kyiv
Mar. 4, 2018
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
1 of 22

Ihor Bliumental - WebSockets

Mar. 4, 2018
Download to read offline
Technology

WebSockets security analysis methods and techniques.

OWASP Kyiv
OWASP Kyiv

Recommended

Web securityWeb security
Web securityGreater Noida Institute Of Technology155 views13 slides
Wap wmlWap wml
Wap wmlAnkit Anand110 views22 slides
IWMW 1998: Server Management (3) Controlling accessIWMW 1998: Server Management (3) Controlling access
IWMW 1998: Server Management (3) Controlling accessIWMW 191 views11 slides
15 intro to ssl certificate & pki concept15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki conceptMostafa El Lathy278 views18 slides
KILLME NOWITSELFKILLME NOWITSELF
KILLME NOWITSELFShehab Imam254 views18 slides
Proxy PresentationProxy Presentation
Proxy Presentationprimeteacher326K views11 slides

More Related Content

Slideshows for you

Information Security SystemsInformation Security Systems
Information Security SystemsEyad Mhanna271 views16 slides
020618 Why Do we Need HTTPS020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPSJackio Kwok395 views23 slides
Stable proxies it's type and advantagesStable proxies it's type and advantages
Stable proxies it's type and advantagesstableproxies14K views22 slides
Introduction to stable proxies.Introduction to stable proxies.
Introduction to stable proxies.stableproxies217 views22 slides
cryptography security cryptography security
cryptography securityZia3130148 views14 slides
Web Proxy ServerWeb Proxy Server
Web Proxy ServerMohit Dhankher1K views17 slides

Slideshows for you(18)

Information Security SystemsInformation Security Systems
Information Security Systems
Eyad Mhanna271 views
020618 Why Do we Need HTTPS020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS
Jackio Kwok395 views
Stable proxies it's type and advantagesStable proxies it's type and advantages
Stable proxies it's type and advantages
stableproxies14K views
Introduction to stable proxies.Introduction to stable proxies.
Introduction to stable proxies.
stableproxies217 views
cryptography security cryptography security
cryptography security
Zia3130148 views
Web Proxy ServerWeb Proxy Server
Web Proxy Server
Mohit Dhankher1K views
Introduce wardenIntroduce warden
Introduce warden
Hieu Nguyen Trung385 views
12 web security12 web security
12 web security
StephenKardian88 views
SignalR SignalR
SignalR
Sarvesh Kushwaha243 views
XML Key Management Protocol for Secure Web ServiceXML Key Management Protocol for Secure Web Service
XML Key Management Protocol for Secure Web Service
Md. Hasan Basri (Angel)1.3K views
Fundamental of Webserver Hacking, Web Applications and Database AttacksFundamental of Webserver Hacking, Web Applications and Database Attacks
Fundamental of Webserver Hacking, Web Applications and Database Attacks
UK Defence Cyber School14 views
WT - Firewall & Proxy ServerWT - Firewall & Proxy Server
WT - Firewall & Proxy Server
vinay arora2.1K views
Proxy Servers & FirewallsProxy Servers & Firewalls
Proxy Servers & Firewalls
Mehdi Poustchi Amin25.5K views
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
Wei-Tsung Su1.3K views
Http Proxy ServerHttp Proxy Server
Http Proxy Server
Sourav Roy5.6K views
Api sec demo_updated_v2Api sec demo_updated_v2
Api sec demo_updated_v2
Aravindan A94 views
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
idsecconf1.3K views
SqlvikingSqlviking
Sqlviking
Jonn Callahan291 views

Similar to Ihor Bliumental - WebSockets

Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar1.3K views34 slides
Computer Network Case Study - bajju.pptxComputer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptxShivamBajaj3655 views12 slides
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon227 views59 slides
HTML5 hackingHTML5 hacking
HTML5 hackingBlueinfy Solutions3.1K views84 slides
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava40.5K views21 slides
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.pptOmprakashVerma5610 views45 slides

Similar to Ihor Bliumental - WebSockets(20)

Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar1.3K views
Computer Network Case Study - bajju.pptxComputer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptx
ShivamBajaj3655 views
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
DevSecCon227 views
HTML5 hackingHTML5 hacking
HTML5 hacking
Blueinfy Solutions3.1K views
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava40.5K views
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
OmprakashVerma5610 views
Protecting Web Services from DDOS AttackProtecting Web Services from DDOS Attack
Protecting Web Services from DDOS Attack
Ponraj 7.2K views
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
Conviso Application Security3.2K views
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest152 views
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
Blueinfy Solutions6.1K views
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado42 views
aa
a
Sandeep Kumar197 views
Html5 securityHtml5 security
Html5 security
Krishna T2.6K views
www.webre24h.com - Ajax securitywww.webre24h.com - Ajax security
www.webre24h.com - Ajax security
webre24h189 views
Information Security EngineeringInformation Security Engineering
Information Security Engineering
Md. Hasan Basri (Angel)192 views
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates6.1K views
WebsocketWebsocket
Websocket
艾鍗科技2.2K views
DDD Melbourne 2014 security in ASP.Net Web API 2DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2
Pratik Khasnabis1.3K views
Post XSS Exploitation : Advanced Attacks and RemediesPost XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and Remedies
Adwiteeya Agrawal3.4K views
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESB
WSO25.2K views

More from OWASP Kyiv

Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...OWASP Kyiv246 views34 slides
Software Supply Chain Security та компоненти з відомими вразливостямиSoftware Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостямиOWASP Kyiv197 views21 slides
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteOWASP Kyiv153 views31 slides
Threat Modeling with OWASP Threat DragonThreat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat DragonOWASP Kyiv600 views12 slides
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...OWASP Kyiv693 views79 slides
Vlad Styran - Cyber Security Economics 101Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101OWASP Kyiv466 views17 slides

More from OWASP Kyiv(20)

Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
OWASP Kyiv246 views
Software Supply Chain Security та компоненти з відомими вразливостямиSoftware Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостями
OWASP Kyiv197 views
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv153 views
Threat Modeling with OWASP Threat DragonThreat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat Dragon
OWASP Kyiv600 views
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
OWASP Kyiv693 views
Vlad Styran - Cyber Security Economics 101Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101
OWASP Kyiv466 views
Pavlo Radchuk - OWASP SAMM: Understanding Agile in SecurityPavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
OWASP Kyiv2.4K views
Ivan Vyshnevskyi - Not So Quiet Git PushIvan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git Push
OWASP Kyiv432 views
Dima Kovalenko - Modern SSL PinningDima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
OWASP Kyiv525 views
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
OWASP Kyiv362 views
Vlada Kulish - Why So Serial?Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?
OWASP Kyiv590 views
Vlad Styran - OWASP Kyiv 2017 Report and 2018 PlansVlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
OWASP Kyiv344 views
Roman Borodin - ISC2 & ISACA Certification Programs First-hand ExperienceRoman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
OWASP Kyiv815 views
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
OWASP Kyiv1.1K views
Viktor Zhora - Cyber and Geopolitics: Ukrainian factorViktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
OWASP Kyiv647 views
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tips
OWASP Kyiv1.5K views
Vlad Styran - "Hidden" Features of the Tools We All LoveVlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All Love
OWASP Kyiv636 views
Volodymyr Ilibman - Close Look at Nyetya InvestigationVolodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya Investigation
OWASP Kyiv412 views
Ihor Bliumental - Collision CORSIhor Bliumental - Collision CORS
Ihor Bliumental - Collision CORS
OWASP Kyiv370 views
Lidiia 'Alice' Skalytska - Security Checklist for Web DevelopersLidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
OWASP Kyiv548 views

Recently uploaded

zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)Alex Pruden17 views39 slides
AI and ML Series - Introduction to Generative AI and LLMs - Session 1AI and ML Series - Introduction to Generative AI and LLMs - Session 1
AI and ML Series - Introduction to Generative AI and LLMs - Session 1DianaGray10179 views38 slides
Info Session GDSC Mepco Sechenk Chapter.pptxInfo Session GDSC Mepco Sechenk Chapter.pptx
Info Session GDSC Mepco Sechenk Chapter.pptxDURAIVIGNESHC15 views13 slides
GDSC INFO.pptxGDSC INFO.pptx
GDSC INFO.pptxAshishChanchal136 views15 slides
GDSC SRMCEM Info Session 2023GDSC SRMCEM Info Session 2023
GDSC SRMCEM Info Session 2023HariOM Dwivedi56 views8 slides
GDSC Final PPT.pptxGDSC Final PPT.pptx
GDSC Final PPT.pptxDishaSharma73798420 views22 slides

Recently uploaded(20)

zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
Alex Pruden17 views
AI and ML Series - Introduction to Generative AI and LLMs - Session 1AI and ML Series - Introduction to Generative AI and LLMs - Session 1
AI and ML Series - Introduction to Generative AI and LLMs - Session 1
DianaGray10179 views
Info Session GDSC Mepco Sechenk Chapter.pptxInfo Session GDSC Mepco Sechenk Chapter.pptx
Info Session GDSC Mepco Sechenk Chapter.pptx
DURAIVIGNESHC15 views
GDSC INFO.pptxGDSC INFO.pptx
GDSC INFO.pptx
AshishChanchal136 views
GDSC SRMCEM Info Session 2023GDSC SRMCEM Info Session 2023
GDSC SRMCEM Info Session 2023
HariOM Dwivedi56 views
GDSC Final PPT.pptxGDSC Final PPT.pptx
GDSC Final PPT.pptx
DishaSharma73798420 views
[KCD GT 2023] Demystifying etcd failure scenarios for Kubernetes.pdf[KCD GT 2023] Demystifying etcd failure scenarios for Kubernetes.pdf
[KCD GT 2023] Demystifying etcd failure scenarios for Kubernetes.pdf
William Caban45 views
OpenFOAM benchmark for EPYC server: cavity mediumOpenFOAM benchmark for EPYC server: cavity medium
OpenFOAM benchmark for EPYC server: cavity medium
takuyayamamoto180031 views
dvss.pptdvss.ppt
dvss.ppt
SaikrishnaCheruvu1354 views
Doorsvision-The-Future-of-Smart-Communities gama adj.pdfDoorsvision-The-Future-of-Smart-Communities gama adj.pdf
Doorsvision-The-Future-of-Smart-Communities gama adj.pdf
Mustafa Kuğu84 views
What’s new in Kotlin 12-08-2023 Google IO Cairo 23What’s new in Kotlin 12-08-2023 Google IO Cairo 23
What’s new in Kotlin 12-08-2023 Google IO Cairo 23
Ahmed Nabil66 views
Future of Virtual realityFuture of Virtual reality
Future of Virtual reality
mdpavel413 views
#11 DataWeave Extension Library using Visual Studio Code#11 DataWeave Extension Library using Visual Studio Code
#11 DataWeave Extension Library using Visual Studio Code
AnoopRamachandran1379 views
DigitalWisers Onepager.pdfDigitalWisers Onepager.pdf
DigitalWisers Onepager.pdf
Mustafa Kuğu165 views
What's Coming in CloudStack 4.19What's Coming in CloudStack 4.19
What's Coming in CloudStack 4.19
ShapeBlue122 views
GDSC23 - Info Session GDSC KIET (1).pptxGDSC23 - Info Session GDSC KIET (1).pptx
GDSC23 - Info Session GDSC KIET (1).pptx
SnehaAggarwal40119 views
Daily Scrum, Sprint Review & Retrospective.pptxDaily Scrum, Sprint Review & Retrospective.pptx
Daily Scrum, Sprint Review & Retrospective.pptx
Md. Rakib Trofder90 views
Workshop on IoT and Basic Home Automation_BAIUST.pptxWorkshop on IoT and Basic Home Automation_BAIUST.pptx
Workshop on IoT and Basic Home Automation_BAIUST.pptx
Redwan Ferdous27 views
AWS Toolkit.pptxAWS Toolkit.pptx
AWS Toolkit.pptx
Brandon Minnick, MBA54 views
GDSC23 SAC - Info Session GDSC.pptxGDSC23 SAC - Info Session GDSC.pptx
GDSC23 SAC - Info Session GDSC.pptx
SAC221 views

Ihor Bliumental - WebSockets

  1. Ihor Bliumental OWASP Kyiv Chapter Lead ihor.bliumental@owasp.org WebSocket security
  2. WebSocket handshake
  3. WebSocket protocol
  4. WebSocket handshake
  5. WebSocket handshake
  6. WebSocket – Javascript API
  7. Authentication
  8. Authorization • An attacker can access the data/functions without authorization • An attacker can access the data/functions which require higher level of authorization • An attacker can access other same level user's restricted data/functions
  9. Cross Origin Resource Sharing
  10. Cross Origin Resource Sharing
  11. Traffic encryption • All sensitive data should be transferred using TLS (wss://) • TLS should be implemented correctly (no weak ciphers)
  12. Resource Exhaustion • Connection is being kept until client or server close it • An attacker can exhausts all available connections • Modern clients have limits (e.g. Chrome: 256 total WS connections, 30 per one host; Firefox: 200 total WS connections)
  13. Improper input validation • A1 - Injections (SQLi, Code injections, Template injections, etc.) • A4 - XXE • A7 - XSS • A8 - Insecure deserialisation
  14. Chrome developer tools
  15. Simple WebSocket Client (FF/Chrome addon)
  16. Burp Suite Community Edition
  17. Burp Suite Pro
  18. Burp Suite Pro
  19. OWASP ZAP
  20. OWASP ZAP
  21. Example
  22. Questions?