Advertisement
Advertisement

More Related Content

Advertisement

More from OWASP Kyiv(20)

Advertisement

Ihor Bliumental - WebSockets

  1. Ihor Bliumental OWASP Kyiv Chapter Lead ihor.bliumental@owasp.org WebSocket security
  2. WebSocket handshake
  3. WebSocket protocol
  4. WebSocket handshake
  5. WebSocket handshake
  6. WebSocket – Javascript API
  7. Authentication
  8. Authorization • An attacker can access the data/functions without authorization • An attacker can access the data/functions which require higher level of authorization • An attacker can access other same level user's restricted data/functions
  9. Cross Origin Resource Sharing
  10. Cross Origin Resource Sharing
  11. Traffic encryption • All sensitive data should be transferred using TLS (wss://) • TLS should be implemented correctly (no weak ciphers)
  12. Resource Exhaustion • Connection is being kept until client or server close it • An attacker can exhausts all available connections • Modern clients have limits (e.g. Chrome: 256 total WS connections, 30 per one host; Firefox: 200 total WS connections)
  13. Improper input validation • A1 - Injections (SQLi, Code injections, Template injections, etc.) • A4 - XXE • A7 - XSS • A8 - Insecure deserialisation
  14. Chrome developer tools
  15. Simple WebSocket Client (FF/Chrome addon)
  16. Burp Suite Community Edition
  17. Burp Suite Pro
  18. Burp Suite Pro
  19. OWASP ZAP
  20. OWASP ZAP
  21. Example
  22. Questions?
Advertisement