Successfully reported this slideshow.

Ihor Bliumental - WebSockets

0

Share

1 of 22
1 of 22

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Ihor Bliumental - WebSockets

  1. 1. Ihor Bliumental OWASP Kyiv Chapter Lead ihor.bliumental@owasp.org WebSocket security
  2. 2. WebSocket handshake
  3. 3. WebSocket protocol
  4. 4. WebSocket handshake
  5. 5. WebSocket handshake
  6. 6. WebSocket – Javascript API
  7. 7. Authentication
  8. 8. Authorization • An attacker can access the data/functions without authorization • An attacker can access the data/functions which require higher level of authorization • An attacker can access other same level user's restricted data/functions
  9. 9. Cross Origin Resource Sharing
  10. 10. Cross Origin Resource Sharing
  11. 11. Traffic encryption • All sensitive data should be transferred using TLS (wss://) • TLS should be implemented correctly (no weak ciphers)
  12. 12. Resource Exhaustion • Connection is being kept until client or server close it • An attacker can exhausts all available connections • Modern clients have limits (e.g. Chrome: 256 total WS connections, 30 per one host; Firefox: 200 total WS connections)
  13. 13. Improper input validation • A1 - Injections (SQLi, Code injections, Template injections, etc.) • A4 - XXE • A7 - XSS • A8 - Insecure deserialisation
  14. 14. Chrome developer tools
  15. 15. Simple WebSocket Client (FF/Chrome addon)
  16. 16. Burp Suite Community Edition
  17. 17. Burp Suite Pro
  18. 18. Burp Suite Pro
  19. 19. OWASP ZAP
  20. 20. OWASP ZAP
  21. 21. Example
  22. 22. Questions?

×