Advertisement
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSockets

Check these out next

Information Security Systems
Information Security Systems
Eyad Mhanna
020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS
Jackio Kwok
Stable proxies it's type and advantages
Stable proxies it's type and advantages
stableproxies
Introduction to stable proxies.
Introduction to stable proxies.
stableproxies
cryptography security
cryptography security
Zia3130
Web Proxy Server
Web Proxy Server
Mohit Dhankher
Introduce warden
Introduce warden
Hieu Nguyen Trung
12 web security
12 web security
StephenKardian
1 of 22

Ihor Bliumental - WebSockets

Mar. 4, 2018
Download to read offline
Technology

WebSockets security analysis methods and techniques.

OWASP Kyiv
OWASP Kyiv
Advertisement
Advertisement
Advertisement

Recommended

Web securityWeb security
Web securityGreater Noida Institute Of Technology155 views13 slides
Wap wmlWap wml
Wap wmlAnkit Anand110 views22 slides
IWMW 1998: Server Management (3) Controlling accessIWMW 1998: Server Management (3) Controlling access
IWMW 1998: Server Management (3) Controlling accessIWMW 191 views11 slides
15 intro to ssl certificate & pki concept15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki conceptMostafa El Lathy248 views18 slides
KILLME NOWITSELFKILLME NOWITSELF
KILLME NOWITSELFShehab Imam254 views18 slides
Proxy PresentationProxy Presentation
Proxy Presentationprimeteacher325.9K views11 slides

More Related Content

Slideshows for you(18)

Information Security SystemsInformation Security Systems
Information Security Systems
Eyad Mhanna271 views
020618 Why Do we Need HTTPS020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS
Jackio Kwok395 views
Stable proxies it's type and advantagesStable proxies it's type and advantages
Stable proxies it's type and advantages
stableproxies14K views
Introduction to stable proxies.Introduction to stable proxies.
Introduction to stable proxies.
stableproxies217 views
cryptography security cryptography security
cryptography security
Zia3130148 views
Web Proxy ServerWeb Proxy Server
Web Proxy Server
Mohit Dhankher994 views
Introduce wardenIntroduce warden
Introduce warden
Hieu Nguyen Trung383 views
12 web security12 web security
12 web security
StephenKardian87 views
SignalR SignalR
SignalR
Sarvesh Kushwaha243 views
XML Key Management Protocol for Secure Web ServiceXML Key Management Protocol for Secure Web Service
XML Key Management Protocol for Secure Web Service
Md. Hasan Basri (Angel)1.3K views
Fundamental of Webserver Hacking, Web Applications and Database AttacksFundamental of Webserver Hacking, Web Applications and Database Attacks
Fundamental of Webserver Hacking, Web Applications and Database Attacks
UK Defence Cyber School14 views
WT - Firewall & Proxy ServerWT - Firewall & Proxy Server
WT - Firewall & Proxy Server
vinay arora2.1K views
Proxy Servers & FirewallsProxy Servers & Firewalls
Proxy Servers & Firewalls
Mehdi Poustchi Amin25.5K views
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
Wei-Tsung Su1.3K views
Http Proxy ServerHttp Proxy Server
Http Proxy Server
Sourav Roy5.6K views
Api sec demo_updated_v2Api sec demo_updated_v2
Api sec demo_updated_v2
Aravindan A94 views
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
idsecconf1.3K views
SqlvikingSqlviking
Sqlviking
Jonn Callahan291 views

Similar to Ihor Bliumental - WebSockets(20)

Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar1.2K views
Computer Network Case Study - bajju.pptxComputer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptx
ShivamBajaj3654 views
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
DevSecCon226 views
HTML5 hackingHTML5 hacking
HTML5 hacking
Blueinfy Solutions3.1K views
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava40.5K views
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
OmprakashVerma564 views
Protecting Web Services from DDOS AttackProtecting Web Services from DDOS Attack
Protecting Web Services from DDOS Attack
Ponraj 7.2K views
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
Conviso Application Security3.2K views
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest151 views
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
Blueinfy Solutions6.1K views
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado41 views
aa
a
Sandeep Kumar196 views
Html5 securityHtml5 security
Html5 security
Krishna T2.6K views
www.webre24h.com - Ajax securitywww.webre24h.com - Ajax security
www.webre24h.com - Ajax security
webre24h188 views
Information Security EngineeringInformation Security Engineering
Information Security Engineering
Md. Hasan Basri (Angel)186 views
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates6K views
WebsocketWebsocket
Websocket
艾鍗科技2.2K views
DDD Melbourne 2014 security in ASP.Net Web API 2DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2
Pratik Khasnabis1.3K views
Post XSS Exploitation : Advanced Attacks and RemediesPost XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and Remedies
Adwiteeya Agrawal3.4K views
Security Patterns with WSO2 ESBSecurity Patterns with WSO2 ESB
Security Patterns with WSO2 ESB
WSO25.2K views
Advertisement

More from OWASP Kyiv(20)

Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
OWASP Kyiv245 views
Software Supply Chain Security та компоненти з відомими вразливостямиSoftware Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостями
OWASP Kyiv197 views
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv153 views
Threat Modeling with OWASP Threat DragonThreat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat Dragon
OWASP Kyiv589 views
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
OWASP Kyiv693 views
Vlad Styran - Cyber Security Economics 101Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101
OWASP Kyiv466 views
Pavlo Radchuk - OWASP SAMM: Understanding Agile in SecurityPavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
OWASP Kyiv2.4K views
Ivan Vyshnevskyi - Not So Quiet Git PushIvan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git Push
OWASP Kyiv432 views
Dima Kovalenko - Modern SSL PinningDima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
OWASP Kyiv523 views
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
OWASP Kyiv362 views
Vlada Kulish - Why So Serial?Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?
OWASP Kyiv590 views
Vlad Styran - OWASP Kyiv 2017 Report and 2018 PlansVlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
OWASP Kyiv343 views
Roman Borodin - ISC2 & ISACA Certification Programs First-hand ExperienceRoman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
OWASP Kyiv815 views
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
OWASP Kyiv1.1K views
Viktor Zhora - Cyber and Geopolitics: Ukrainian factorViktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
OWASP Kyiv647 views
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tips
OWASP Kyiv1.5K views
Vlad Styran - "Hidden" Features of the Tools We All LoveVlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All Love
OWASP Kyiv636 views
Volodymyr Ilibman - Close Look at Nyetya InvestigationVolodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya Investigation
OWASP Kyiv412 views
Ihor Bliumental - Collision CORSIhor Bliumental - Collision CORS
Ihor Bliumental - Collision CORS
OWASP Kyiv370 views
Lidiia 'Alice' Skalytska - Security Checklist for Web DevelopersLidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
OWASP Kyiv547 views

Recently uploaded(20)

How to lead in the age of Superintelligence.pptxHow to lead in the age of Superintelligence.pptx
How to lead in the age of Superintelligence.pptx
Prerna Kaul0 views
FINAL PRESENTATION on OBE using TDD.pptxFINAL PRESENTATION on OBE using TDD.pptx
FINAL PRESENTATION on OBE using TDD.pptx
gznfrch10 views
AirMMax Motor Brochure.pdfAirMMax Motor Brochure.pdf
AirMMax Motor Brochure.pdf
AirMMax Aeration Equipment Co., Ltd0 views
Addin Revit.pdfAddin Revit.pdf
Addin Revit.pdf
ssuser589db10 views
Revolution in Retail Experience.pdfRevolution in Retail Experience.pdf
Revolution in Retail Experience.pdf
bgoyani30 views
8 PROCESS FLOW CHART.pptx8 PROCESS FLOW CHART.pptx
8 PROCESS FLOW CHART.pptx
julitolosbanos0 views
Hackolade Tutorial - part 4 - Create your first data modelHackolade Tutorial - part 4 - Create your first data model
Hackolade Tutorial - part 4 - Create your first data model
PascalDesmarets10 views
Scan 26 Apr 23 11·57·23.pdfScan 26 Apr 23 11·57·23.pdf
Scan 26 Apr 23 11·57·23.pdf
SmrDDhrk0 views
Office 365Office 365
Office 365
Princy Nadar0 views
Vernacular Architecture - 1.pptVernacular Architecture - 1.ppt
Vernacular Architecture - 1.ppt
RekhaVKumar0 views
Cutting Edge Robotics Innovation.pdfCutting Edge Robotics Innovation.pdf
Cutting Edge Robotics Innovation.pdf
bgoyani30 views
How to Build Real-Time Analytics Applications like Netflix, Confluent, and Re...How to Build Real-Time Analytics Applications like Netflix, Confluent, and Re...
How to Build Real-Time Analytics Applications like Netflix, Confluent, and Re...
confluent0 views
Pioneering the Future of Finance: Banks and MetaMask Integration in Cryptocur...Pioneering the Future of Finance: Banks and MetaMask Integration in Cryptocur...
Pioneering the Future of Finance: Banks and MetaMask Integration in Cryptocur...
Mobiloitte Technologies0 views
Manufacturing Slides Powerpoint Template.pptxManufacturing Slides Powerpoint Template.pptx
Manufacturing Slides Powerpoint Template.pptx
ssuser589db10 views
Hackolade Tutorial - part 3 - Query-driven data modeling based on access patt...Hackolade Tutorial - part 3 - Query-driven data modeling based on access patt...
Hackolade Tutorial - part 3 - Query-driven data modeling based on access patt...
PascalDesmarets10 views
Class I_OSI Network Layer by CISCO.pptClass I_OSI Network Layer by CISCO.ppt
Class I_OSI Network Layer by CISCO.ppt
NukriTskvitaia0 views
EventsEvents
Events
Victor de Souza Fernandes0 views
【本科生、研究生】新西兰梅西大学毕业证文凭购买指南【本科生、研究生】新西兰梅西大学毕业证文凭购买指南
【本科生、研究生】新西兰梅西大学毕业证文凭购买指南
foxupud0 views
Stream Processing with Flink and Stream Sharing.pdfStream Processing with Flink and Stream Sharing.pdf
Stream Processing with Flink and Stream Sharing.pdf
confluent0 views
Real-time Network Streaming Innovation & InsightsReal-time Network Streaming Innovation & Insights
Real-time Network Streaming Innovation & Insights
confluent0 views
Advertisement

Ihor Bliumental - WebSockets

  1. Ihor Bliumental OWASP Kyiv Chapter Lead ihor.bliumental@owasp.org WebSocket security
  2. WebSocket handshake
  3. WebSocket protocol
  4. WebSocket handshake
  5. WebSocket handshake
  6. WebSocket – Javascript API
  7. Authentication
  8. Authorization • An attacker can access the data/functions without authorization • An attacker can access the data/functions which require higher level of authorization • An attacker can access other same level user's restricted data/functions
  9. Cross Origin Resource Sharing
  10. Cross Origin Resource Sharing
  11. Traffic encryption • All sensitive data should be transferred using TLS (wss://) • TLS should be implemented correctly (no weak ciphers)
  12. Resource Exhaustion • Connection is being kept until client or server close it • An attacker can exhausts all available connections • Modern clients have limits (e.g. Chrome: 256 total WS connections, 30 per one host; Firefox: 200 total WS connections)
  13. Improper input validation • A1 - Injections (SQLi, Code injections, Template injections, etc.) • A4 - XXE • A7 - XSS • A8 - Insecure deserialisation
  14. Chrome developer tools
  15. Simple WebSocket Client (FF/Chrome addon)
  16. Burp Suite Community Edition
  17. Burp Suite Pro
  18. Burp Suite Pro
  19. OWASP ZAP
  20. OWASP ZAP
  21. Example
  22. Questions?
Advertisement