-
Be the first to like this
Upcoming SlideShare
Ihor Bliumental - WebSockets
- 1. Ihor Bliumental OWASP Kyiv Chapter Lead ihor.bliumental@owasp.org WebSocket security
- 2. WebSocket handshake
- 3. WebSocket protocol
- 4. WebSocket handshake
- 5. WebSocket handshake
- 6. WebSocket – Javascript API
- 7. Authentication
- 8. Authorization • An attacker can access the data/functions without authorization • An attacker can access the data/functions which require higher level of authorization • An attacker can access other same level user's restricted data/functions
- 9. Cross Origin Resource Sharing
- 10. Cross Origin Resource Sharing
- 11. Traffic encryption • All sensitive data should be transferred using TLS (wss://) • TLS should be implemented correctly (no weak ciphers)
- 12. Resource Exhaustion • Connection is being kept until client or server close it • An attacker can exhausts all available connections • Modern clients have limits (e.g. Chrome: 256 total WS connections, 30 per one host; Firefox: 200 total WS connections)
- 13. Improper input validation • A1 - Injections (SQLi, Code injections, Template injections, etc.) • A4 - XXE • A7 - XSS • A8 - Insecure deserialisation
- 14. Chrome developer tools
- 15. Simple WebSocket Client (FF/Chrome addon)
- 16. Burp Suite Community Edition
- 17. Burp Suite Pro
- 18. Burp Suite Pro
- 19. OWASP ZAP
- 20. OWASP ZAP
- 21. Example
- 22. Questions?
Login to see the comments