SlideShare a Scribd company logo
Hacking with WebSockets

                    Mike Shema
                    Sergey Shekyan
                    Vaagn Toukharian (got sick last night)


                                      December 2012
Thursday, December 13, 12                                    1
A Trip into HTML5
                      WebSockets background

                      Their appeal to developers

                      Their appeal to attackers

                      What makes them better

Thursday, December 13, 12                          2
HTML4‘s Crude Solutions

   Forcing persistence on a non-persistent protocol
         ...often at the server’s expense of one thread/request
         ...while dealing with the browser’s per-domain connection limit
         ...and trying to figure out an efficient polling frequency
         ...just to know when the server has some data ready.

Thursday, December 13, 12                                                  3
Almost WebSockets
                    Forcing HTML5 on a non-HTML5 browser
                            web-socket-js -- The power of Flash’s raw sockets with the
                            benefits(?) of Flash’s security
                            sockjs-client -- Pure JavaScript, choose your poison: long-polling,
                            XHR, etc.
                    HTML5 Server-Sent Events (http://www.w3.org/TR/eventsource/)
                            Properly-implemented long-polling
                            Content only flows from server → client

Thursday, December 13, 12                                                                         4
One Socket, Two Directions
                                                   Yay!

      The WebSocket Protocol enables two-way
      communication between a client running
      untrusted code in a controlled environment to a
      remote host that has opted-in to communications from
      that code.                  Hmm...
Uh oh                                     - RFC 6455
Thursday, December 13, 12                                    5
Speak to Me
                       Protocol           JavaScript API
                       (RFC 6455)
                                          .onmessage()
                       Low overhead
                                          .send()
                       Simple format
                                          Data as String,
                       Content agnostic   Blob,
                       HTTP compatible*   ArrayBuffer


Thursday, December 13, 12                                   6
Handshake Challenge
        GET /?encoding=text HTTP/1.1
        Host: echo.websocket.org
        User-Agent: ...
        Connection: Upgrade
        Sec-WebSocket-Version: 13
        Origin: http://www.websocket.org
        Sec-WebSocket-Key: CjYoQD+BXC718rj3aiExxw==


                            base64(16 random bytes)
Thursday, December 13, 12                             7
Handshake Response
         HTTP/1.1 101 Switching Protocols
         Upgrade: WebSocket         Proxy might
         Connection: Upgrade        remove this!

         Sec-WebSocket-Accept: c4RVZSknSoEHizZu6BKl3v
         +xUuI=

                                 base64(SHA1(challenge + GUID)

                            [ then the data frames begin ]




Thursday, December 13, 12                                        8
HTTP Handshake
                    Proves mutual agreement to speak WebSockets
                            Not intended to prove either trust or identity
                    User Agent should not establish plaintext WebSocket (ws:) from
                    “secure” resource (https:)
                    Includes the Origin header
                    Must complete before another connection may be established to
                    the same origin

Thursday, December 13, 12                                                           9
Data Frame Details
   0                   1                    2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  +-+-+-+-+-------+-+-------------+-------------------------------+
  |F|R|R|R| opcode|M| Payload len |     Extended payload length    |
  |I|S|S|S| (4) |A|        (7)     |             (16/64)           |
  |N|V|V|V|       |S|              |   (if payload len==126/127)   |
  | |1|2|3|       |K|              |                               |
  +-+-+-+-+-------+-+-------------+ - - - - - - - - - - - - - - - +
  |     Extended payload length continued, if payload len == 127 |
  + - - - - - - - - - - - - - - - +-------------------------------+
  |                                |Masking-key, if MASK set to 1 |
  +-------------------------------+-------------------------------+
  | Masking-key (continued)        |          Payload Data         |
  +-------------------------------- - - - - - - - - - - - - - - - +
  :                      Payload Data continued ...                :
  + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
  |                      Payload Data continued ...                |
  +---------------------------------------------------------------+

Thursday, December 13, 12                                          10
Variable Lengths
 Decimal Length (7 bits)                    Variable Length (16- or 64-bit)
 1                          1000000   n/a
 128                        0111111   00000001 00000000
 65535                      0111111   11111111 11111111
 65536                      1111111   00000000 00000000 1...
 2^64 - 1 1 1 1 1 1 1 1               11111111 ... 11111111
 19                         1100100   n/a
 19                         0111111   11001000 00000000
 19                         1111111   11001000 00000000 0...
Thursday, December 13, 12                                                     11
src                     10.171.90.44
    dst                     174.129.224.73
    options                 []



                    Masking Data
    TCP
    sport                   63784
    dport                   http
                                                            f9 28 00 50 fb 51 8d 7f ea d5 21 21 80 18
    seq                     4216425855
                                                      82 18 fa c2 00 00 01 01 08 0a c5 4f 2d e2 61 52
    ack                     3939836193
                                                      72 98
    dataofs                 8L
    reserved                0L
    flags     32-bit pseudo-random value, XOR byte by byte
                            PA
    window                  33304
    chksum                  0xfac2
    urgptr   Prevent the browser from being leveraged for cross-protocol attacks, cache poisoning
                            0
    options                 [(’NOP’, None), (’[...]
    WebSocket
    flags                    FIN
    opcode                  text frame                      81 a5 bd cc ef e0 e9 a4 8a 99 9a be 8a c0
    mask flag                1L                        de a3 82 89 d3 ab cf 94 d2 ec 88 85 c9 ec 96 8f
    length                  37L                       c8 e0 cf a2 dc be 8d 81 cf ad c1 ce 93
    mask                    0xbdccefe0
    frame data              ’xe9xa4x8ax99[...]




          bd cc ef e0 bd cc ef e0 bd ...
          e9 a4 8a 99 9a be 8a c0 de ...
             T h e y ‘ r e           c
Thursday, December 13, 12                                                                               12
Design Choices
                       Items transparent to JavaScript API
                            User Agents mask data to the server
                            “Ping” & “pong” frames for connection keep-alive
                       User Agent should minimize details for certain kinds of
                       connection failures to prevent “better” host/port scanning


Thursday, December 13, 12                                                           13
Data Frame Security
                   The handshake provides the headers to create a security context
                            Cookies, CORS, Origin, etc.
                            Decoupling this information is dangerous

  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------------------------------------------------------+
|        [ insert your protocol here ]                           |
+---------------------------------------------------------------+
|        It is pitch dark.                                       |
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
|        You are likely to be eaten by a grue.                   |
+---------------------------------------------------------------+

Thursday, December 13, 12                                                            14
What makes us worry


Thursday, December 13, 12                  15
(Don’t) Blame the Messenger


                      WebSockets still fall victim to “old” threats


                      WebSockets still have interesting things to discuss



Thursday, December 13, 12                                                   16
Mixed content handling
                      If you can sniff http: you can sniff ws:
                    If you can intercept or inject, you can overtake ws:/
                    wss:
                    It should be impossible to mix ws: with https: by
                    RFC
                            WebKit doesn’t enforce this


Thursday, December 13, 12                                                   17
Denial of Service - Client
                    WebSockets connection limit is different than HTTP connection limit
                    Malicious content can exhaust browser by grabbing max. allowed
                    number of WebSocket connections
                            go to http://www.slowhammer.me/now.html with mobile
                            Safari
                  “..Yes, WebSocket is the first way to open an unlimited number of connections to a single
                  server, so it indeed likely needs additional protection to prevent DOS attacks.
                  But we don't really have a way to implement this correctly...”

                                                                         https://bugs.webkit.org/show_bug.cgi?id=32246




Thursday, December 13, 12                                                                                                18
Denial of Service - Server
                  Welcome!er!
                                        a t
                                    L
                        Malicious content can create large number of WebSocket
                       connections to victim WebSocket server
                        Attacks like SlowLoris strive to maintain persistent connections
                       thus draining server resources. WebSockets are naturally like that


Thursday, December 13, 12                                                                   19
Are Browsers OK?

                    Still no mixed content handling policy
                   implemented by WebKit-based (except Chromium)
                     Firefox still doesn’t let WebWorkers create WebSockets
                     Message sizes handled differently


Thursday, December 13, 12                                                     20
Fuzzing WS	
                    Fuzzing WS data
                            Capturing real life data with JS
                            Fuzzing within a Browser
                    Fuzzing WS frameworks
                            Fuzzing WS handshake
                            Fuzzing WS Headers
Thursday, December 13, 12                                      21
Fuzzing WS data with JS
          var f_replace ='';
          var f_append ='';
          WebSocket.prototype._send =
          WebSocket.prototype.send;
          WebSocket.prototype.send = function (data) {
            this._send(data);
            this.addEventListener('message', function
          (msg) {
            }, false);
            this.send = function (data) {
                      if(f_replace !='') {
                        data = f_replace;
                      } else if( f_append !='') {
                        data = data + f_append;
                      }
                      this._send(data);
                };
          }

Thursday, December 13, 12                                22
Fuzzing Frameworks


                            Getting Crashes (not yet)
                            Fingerprinting frameworks




Thursday, December 13, 12                               23
Fingerprinting
    WebSocket++
    Successful handshake:
    HTTP/1.1 101 Switching Protocols
    Connection: Upgrade
    Sec-WebSocket-Accept: Pzio3NY64M/GFfA/kK4WJpj2xY4=
    Server: WebSocket++/0.2.0dev
    Upgrade: websocket
    Failed handshake:
    HTTP/1.1 404
    Server: WebSocket++/0.2.0dev


Thursday, December 13, 12                                24
Fingerprinting
      AutobahnPython
      Successful handshake:
      HTTP/1.1 101 Switching Protocols
      Connection: Upgrade
      Sec-WebSocket-Accept:fKrZviGIoYH4PrDbQ98Nvsbk2cU=
      Server: AutobahnPython/0.5.9
      Upgrade: WebSocket
      Failed handshake:
      HTTP/1.1 400 WebSocket version 12 not supported
      (supported versions: 13,8,0)
      Sec-WebSocket-Version: 13,8,0

Thursday, December 13, 12                                 25
Fingerprinting
   Node.JS
   Successful handshake:
   HTTP/1.1 101 Switching Protocols
   Connection: Upgrade
   Sec-WebSocket-Accept:zSKX8MU5Omx1JXHacSpdN5a4ur4=
   Upgrade: websocket
   Failed handshake:
   HTTP/1.1 426 Upgrade Required
   Connection: close
   Sec-WebSocket-Version: 13
   X-WebSocket-Reject-Reason: Unsupported websocket client
   version: 12Only versions 8 and 13 are supported.

Thursday, December 13, 12                                    26
Looking for WS Security
                     How to inspect WS traffic


                     How to manipulate WS traffic?


                     Are there browser plugins to help?


                     Are there proxies that support WebSockets?

Thursday, December 13, 12                                         27
Tools

                    WireShark
                    Proxies(ZAProxy, Fiddler)
                    Chrome Developer Tools
                    overloaded WebSocket constructor and methods


Thursday, December 13, 12                                          28
Wish You Were Here
                     Unawareness of WebSocket protocol by security devices (firewalls,
                    IDS, IPS) makes them ineffective against malicious traffic
                            Masking inhibits identifying patterns in traffic
                            Missing auxiliary data type information makes it even harder
                     Covert channels, command & control
                            Resurrect Loki (Phrack 49)
                            Sources of entropy: reserved flags, length representations, mask

Thursday, December 13, 12                                                                  29
Is there anybody out there?
                    We wrote a QtWebKit-based crawler with overloaded
                    WebSocket ctor; whenever it’s called - we get a record in the
                    DB. As simple as:

               window._WebSocket = window.WebSocket;
               window.WebSocket = function(u, p) {
                   cpp_accessible_obj.ws_url = u;
                   cpp_accessible_obj.dumpToDB();
                   return new window._WebSocket(u, p);
               }


Thursday, December 13, 12                                                           30
Not really...
                                             Distribution of Alexa Top 600K websites that use WebSockets

                                  100K

                                  200K
          Ranges of the samples




                                  300K

                                  400K

                                  500K

                                  600K

                                         0        38                     75                    113         150
                                                             WebSocket instances found



Thursday, December 13, 12                                                                                        31
Details?
                        0.15% of websites use WebSockets on
                       landing page.
                        Less than 4% of captured WebSockets
                       are using plain ws:
                               95% of total WebSockets connect
                              to a single vendor’s customer
                              support chat system
                               among remaining 5%, less
                              than 1% are using
                              encryption


Thursday, December 13, 12                                        32
True picture is...
                                             Distribution of Alexa Top 600K websites that use WebSockets

                                  100K

                                  200K
          Ranges of the samples




                                  300K

                                  400K

                                  500K

                                  600K

                                         0        2                      4                      5          7
                                                WebSocket instances found, excluding CS chat system



Thursday, December 13, 12                                                                                      33
What makes them
                                 better

Thursday, December 13, 12                     34
Recommendations
                     What it's good for
                            Time critical data delivery
                            Apps that require true bidirectional flow
                            Interactivity
                            Higher throughput
                    Remember, it doesn’t fix existing vulnerabilities
Thursday, December 13, 12                                              35
Deploying a Server
                    Capacity planning & measurement to prevent self-inflicted DoS
                    Verify the Origin header
                    As always, assume the client is hostile -- don’t trust it
                    Be careful when implementing the HTTP handshake
                            Create a single-purpose HTTP handler, not a pseudo-web server



Thursday, December 13, 12                                                               36
Security of the tunneled protocol
                    Beware of decoupling WebSocket session context from the HTTP session
                    context
                    Watch for protocol mistakes
                            using session cookies as chat IDs (visible to the recipient)
                            replay
                            spoofing
                            fragmentation, overlapping fragments
                            server-side buffer overflows, underflows

Thursday, December 13, 12                                                                  37
Remember Security Basics
                    wss: means secure transport, not secure app
                    Authn/Authz
                    Session identifiers
                    Server-side input validation
                    Resource exhaustion
                    Failure states
Thursday, December 13, 12                                         38
Summary
                     WebSockets solve connection problems, not security
                    problems.
                     Basic security principles still apply, especially for data
                    frames’ content.
                     “The new port 80” -- security devices have poor
                    (nonexistent!?) awareness of the protocol.


Thursday, December 13, 12                                                         39
Q&A


Thursday, December 13, 12         40
Thank You!
                            Mike @CodexWebSecurum
                            Sergey @sshekyan
                            Vaagn @tukharian
Thursday, December 13, 12                           41
References

                    http://lists.whatwg.org/pipermail/whatwg-whatwg.org/
                    2008-June/015108.html
                    http://www.ietf.org/mail-archive/web/tls/current/
                    msg05593.html
                    http://webtide.intalio.com/2011/09/cometd-2-4-0-
                    websocket-benchmarks/

Thursday, December 13, 12                                                  42
Interest in WebSockets?




Thursday, December 13, 12                     43

More Related Content

What's hot

Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusion
Secure Code Warrior
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
Adeel Javaid
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
Python Deserialization Attacks
Python Deserialization AttacksPython Deserialization Attacks
Python Deserialization Attacks
NSConclave
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
Mikhail Egorov
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
n|u - The Open Security Community
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Different Methodology To Recon Your Targets
Different Methodology To Recon Your TargetsDifferent Methodology To Recon Your Targets
Different Methodology To Recon Your Targets
EslamAkl
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Use Node.js to create a REST API
Use Node.js to create a REST APIUse Node.js to create a REST API
Use Node.js to create a REST API
Fabien Vauchelles
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 -  Adam Nurudini (ISACA)Unrestricted file upload CWE-434 -  Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Adam Nurudini
 

What's hot (20)

Web application security
Web application securityWeb application security
Web application security
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusion
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
Python Deserialization Attacks
Python Deserialization AttacksPython Deserialization Attacks
Python Deserialization Attacks
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Different Methodology To Recon Your Targets
Different Methodology To Recon Your TargetsDifferent Methodology To Recon Your Targets
Different Methodology To Recon Your Targets
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Use Node.js to create a REST API
Use Node.js to create a REST APIUse Node.js to create a REST API
Use Node.js to create a REST API
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 -  Adam Nurudini (ISACA)Unrestricted file upload CWE-434 -  Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
 

Viewers also liked

Hacking websockets
Hacking websocketsHacking websockets
Hacking websockets
Tomek Cejner
 
Turning your surveillance camera against you
Turning your surveillance camera against youTurning your surveillance camera against you
Turning your surveillance camera against you
Sergey Shekyan
 
Detecting headless browsers
Detecting headless browsersDetecting headless browsers
Detecting headless browsers
Sergey Shekyan
 
Tweaking to get away from Application Layer DoS attacks
Tweaking to get away from Application Layer DoS attacksTweaking to get away from Application Layer DoS attacks
Tweaking to get away from Application Layer DoS attacks
Sergey Shekyan
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
 
Websocket technology for XPages
Websocket technology for XPagesWebsocket technology for XPages
Websocket technology for XPages
Csaba Kiss
 
Nodejs and WebSockets
Nodejs and WebSocketsNodejs and WebSockets
Nodejs and WebSockets
Gonzalo Ayuso
 
AWS初心者向けWebinar AWSクラウドでのWindowsの実行
AWS初心者向けWebinar AWSクラウドでのWindowsの実行AWS初心者向けWebinar AWSクラウドでのWindowsの実行
AWS初心者向けWebinar AWSクラウドでのWindowsの実行
Amazon Web Services Japan
 
Introduction to WAMP, a protocol enabling PUB/SUB and RPC over Websocket
Introduction to WAMP, a protocol enabling PUB/SUB and RPC over WebsocketIntroduction to WAMP, a protocol enabling PUB/SUB and RPC over Websocket
Introduction to WAMP, a protocol enabling PUB/SUB and RPC over Websocket
sametmax
 
reveal.js 3.0.0
reveal.js 3.0.0reveal.js 3.0.0
reveal.js 3.0.0
Hakim El Hattab
 

Viewers also liked (10)

Hacking websockets
Hacking websocketsHacking websockets
Hacking websockets
 
Turning your surveillance camera against you
Turning your surveillance camera against youTurning your surveillance camera against you
Turning your surveillance camera against you
 
Detecting headless browsers
Detecting headless browsersDetecting headless browsers
Detecting headless browsers
 
Tweaking to get away from Application Layer DoS attacks
Tweaking to get away from Application Layer DoS attacksTweaking to get away from Application Layer DoS attacks
Tweaking to get away from Application Layer DoS attacks
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
 
Websocket technology for XPages
Websocket technology for XPagesWebsocket technology for XPages
Websocket technology for XPages
 
Nodejs and WebSockets
Nodejs and WebSocketsNodejs and WebSockets
Nodejs and WebSockets
 
AWS初心者向けWebinar AWSクラウドでのWindowsの実行
AWS初心者向けWebinar AWSクラウドでのWindowsの実行AWS初心者向けWebinar AWSクラウドでのWindowsの実行
AWS初心者向けWebinar AWSクラウドでのWindowsの実行
 
Introduction to WAMP, a protocol enabling PUB/SUB and RPC over Websocket
Introduction to WAMP, a protocol enabling PUB/SUB and RPC over WebsocketIntroduction to WAMP, a protocol enabling PUB/SUB and RPC over Websocket
Introduction to WAMP, a protocol enabling PUB/SUB and RPC over Websocket
 
reveal.js 3.0.0
reveal.js 3.0.0reveal.js 3.0.0
reveal.js 3.0.0
 

Similar to Hacking (with) WebSockets

20140513_jeffyang_demo_openstack
20140513_jeffyang_demo_openstack20140513_jeffyang_demo_openstack
20140513_jeffyang_demo_openstack
Jeff Yang
 
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
Jeff Yang
 
Data Grids with Oracle Coherence
Data Grids with Oracle CoherenceData Grids with Oracle Coherence
Data Grids with Oracle Coherence
Ben Stopford
 
Oow2007 performance
Oow2007 performanceOow2007 performance
Oow2007 performance
Ricky Zhu
 
Analyzing the Performance of Mobile Web
Analyzing the Performance of Mobile WebAnalyzing the Performance of Mobile Web
Analyzing the Performance of Mobile Web
Ariya Hidayat
 
Quic illustrated
Quic illustratedQuic illustrated
Quic illustrated
Alexander Krizhanovsky
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012
Joe Arnold
 
Non-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.jsNon-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.js
Marcus Frödin
 
Stress your DUT
Stress your DUTStress your DUT
Stress your DUT
Redge Technologies
 
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PROIDEA
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
Michael Earls
 
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Anne Nicolas
 
Spca2014 advanced share point troubleshooting hessing
Spca2014 advanced share point troubleshooting hessingSpca2014 advanced share point troubleshooting hessing
Spca2014 advanced share point troubleshooting hessing
NCCOMMS
 
Scalable Socket Server by Aryo
Scalable Socket Server by AryoScalable Socket Server by Aryo
Scalable Socket Server by Aryo
Agate Studio
 
Introducing Vortex Lite
Introducing Vortex LiteIntroducing Vortex Lite
Introducing Vortex Lite
Angelo Corsaro
 
Introducing Vortex Lite
Introducing Vortex LiteIntroducing Vortex Lite
Introducing Vortex Lite
ADLINK Technology IoT
 
Os Gottfrid
Os GottfridOs Gottfrid
Os Gottfrid
oscon2007
 
Kauli SSPにおけるVyOSの導入事例
Kauli SSPにおけるVyOSの導入事例Kauli SSPにおけるVyOSの導入事例
Kauli SSPにおけるVyOSの導入事例
Kazuhito Ohkawa
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call Flow
William Lee
 
KSDG-iSlide App 開發心得分享
KSDG-iSlide App 開發心得分享KSDG-iSlide App 開發心得分享
KSDG-iSlide App 開發心得分享
Chia Wei Tsai
 

Similar to Hacking (with) WebSockets (20)

20140513_jeffyang_demo_openstack
20140513_jeffyang_demo_openstack20140513_jeffyang_demo_openstack
20140513_jeffyang_demo_openstack
 
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
An High Available Database for OpenStack Cloud Production by Pacemaker, Coros...
 
Data Grids with Oracle Coherence
Data Grids with Oracle CoherenceData Grids with Oracle Coherence
Data Grids with Oracle Coherence
 
Oow2007 performance
Oow2007 performanceOow2007 performance
Oow2007 performance
 
Analyzing the Performance of Mobile Web
Analyzing the Performance of Mobile WebAnalyzing the Performance of Mobile Web
Analyzing the Performance of Mobile Web
 
Quic illustrated
Quic illustratedQuic illustrated
Quic illustrated
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012
 
Non-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.jsNon-blocking I/O, Event loops and node.js
Non-blocking I/O, Event loops and node.js
 
Stress your DUT
Stress your DUTStress your DUT
Stress your DUT
 
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
 
Spca2014 advanced share point troubleshooting hessing
Spca2014 advanced share point troubleshooting hessingSpca2014 advanced share point troubleshooting hessing
Spca2014 advanced share point troubleshooting hessing
 
Scalable Socket Server by Aryo
Scalable Socket Server by AryoScalable Socket Server by Aryo
Scalable Socket Server by Aryo
 
Introducing Vortex Lite
Introducing Vortex LiteIntroducing Vortex Lite
Introducing Vortex Lite
 
Introducing Vortex Lite
Introducing Vortex LiteIntroducing Vortex Lite
Introducing Vortex Lite
 
Os Gottfrid
Os GottfridOs Gottfrid
Os Gottfrid
 
Kauli SSPにおけるVyOSの導入事例
Kauli SSPにおけるVyOSの導入事例Kauli SSPにおけるVyOSの導入事例
Kauli SSPにおけるVyOSの導入事例
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call Flow
 
KSDG-iSlide App 開發心得分享
KSDG-iSlide App 開發心得分享KSDG-iSlide App 開發心得分享
KSDG-iSlide App 開發心得分享
 

Hacking (with) WebSockets

  • 1. Hacking with WebSockets Mike Shema Sergey Shekyan Vaagn Toukharian (got sick last night) December 2012 Thursday, December 13, 12 1
  • 2. A Trip into HTML5 WebSockets background Their appeal to developers Their appeal to attackers What makes them better Thursday, December 13, 12 2
  • 3. HTML4‘s Crude Solutions Forcing persistence on a non-persistent protocol ...often at the server’s expense of one thread/request ...while dealing with the browser’s per-domain connection limit ...and trying to figure out an efficient polling frequency ...just to know when the server has some data ready. Thursday, December 13, 12 3
  • 4. Almost WebSockets Forcing HTML5 on a non-HTML5 browser web-socket-js -- The power of Flash’s raw sockets with the benefits(?) of Flash’s security sockjs-client -- Pure JavaScript, choose your poison: long-polling, XHR, etc. HTML5 Server-Sent Events (http://www.w3.org/TR/eventsource/) Properly-implemented long-polling Content only flows from server → client Thursday, December 13, 12 4
  • 5. One Socket, Two Directions Yay! The WebSocket Protocol enables two-way communication between a client running untrusted code in a controlled environment to a remote host that has opted-in to communications from that code. Hmm... Uh oh - RFC 6455 Thursday, December 13, 12 5
  • 6. Speak to Me Protocol JavaScript API (RFC 6455) .onmessage() Low overhead .send() Simple format Data as String, Content agnostic Blob, HTTP compatible* ArrayBuffer Thursday, December 13, 12 6
  • 7. Handshake Challenge GET /?encoding=text HTTP/1.1 Host: echo.websocket.org User-Agent: ... Connection: Upgrade Sec-WebSocket-Version: 13 Origin: http://www.websocket.org Sec-WebSocket-Key: CjYoQD+BXC718rj3aiExxw== base64(16 random bytes) Thursday, December 13, 12 7
  • 8. Handshake Response HTTP/1.1 101 Switching Protocols Upgrade: WebSocket Proxy might Connection: Upgrade remove this! Sec-WebSocket-Accept: c4RVZSknSoEHizZu6BKl3v +xUuI= base64(SHA1(challenge + GUID) [ then the data frames begin ] Thursday, December 13, 12 8
  • 9. HTTP Handshake Proves mutual agreement to speak WebSockets Not intended to prove either trust or identity User Agent should not establish plaintext WebSocket (ws:) from “secure” resource (https:) Includes the Origin header Must complete before another connection may be established to the same origin Thursday, December 13, 12 9
  • 10. Data Frame Details 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-------+-+-------------+-------------------------------+ |F|R|R|R| opcode|M| Payload len | Extended payload length | |I|S|S|S| (4) |A| (7) | (16/64) | |N|V|V|V| |S| | (if payload len==126/127) | | |1|2|3| |K| | | +-+-+-+-+-------+-+-------------+ - - - - - - - - - - - - - - - + | Extended payload length continued, if payload len == 127 | + - - - - - - - - - - - - - - - +-------------------------------+ | |Masking-key, if MASK set to 1 | +-------------------------------+-------------------------------+ | Masking-key (continued) | Payload Data | +-------------------------------- - - - - - - - - - - - - - - - + : Payload Data continued ... : + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Payload Data continued ... | +---------------------------------------------------------------+ Thursday, December 13, 12 10
  • 11. Variable Lengths Decimal Length (7 bits) Variable Length (16- or 64-bit) 1 1000000 n/a 128 0111111 00000001 00000000 65535 0111111 11111111 11111111 65536 1111111 00000000 00000000 1... 2^64 - 1 1 1 1 1 1 1 1 11111111 ... 11111111 19 1100100 n/a 19 0111111 11001000 00000000 19 1111111 11001000 00000000 0... Thursday, December 13, 12 11
  • 12. src 10.171.90.44 dst 174.129.224.73 options [] Masking Data TCP sport 63784 dport http f9 28 00 50 fb 51 8d 7f ea d5 21 21 80 18 seq 4216425855 82 18 fa c2 00 00 01 01 08 0a c5 4f 2d e2 61 52 ack 3939836193 72 98 dataofs 8L reserved 0L flags 32-bit pseudo-random value, XOR byte by byte PA window 33304 chksum 0xfac2 urgptr Prevent the browser from being leveraged for cross-protocol attacks, cache poisoning 0 options [(’NOP’, None), (’[...] WebSocket flags FIN opcode text frame 81 a5 bd cc ef e0 e9 a4 8a 99 9a be 8a c0 mask flag 1L de a3 82 89 d3 ab cf 94 d2 ec 88 85 c9 ec 96 8f length 37L c8 e0 cf a2 dc be 8d 81 cf ad c1 ce 93 mask 0xbdccefe0 frame data ’xe9xa4x8ax99[...] bd cc ef e0 bd cc ef e0 bd ... e9 a4 8a 99 9a be 8a c0 de ... T h e y ‘ r e c Thursday, December 13, 12 12
  • 13. Design Choices Items transparent to JavaScript API User Agents mask data to the server “Ping” & “pong” frames for connection keep-alive User Agent should minimize details for certain kinds of connection failures to prevent “better” host/port scanning Thursday, December 13, 12 13
  • 14. Data Frame Security The handshake provides the headers to create a security context Cookies, CORS, Origin, etc. Decoupling this information is dangerous 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +---------------------------------------------------------------+ | [ insert your protocol here ] | +---------------------------------------------------------------+ | It is pitch dark. | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | You are likely to be eaten by a grue. | +---------------------------------------------------------------+ Thursday, December 13, 12 14
  • 15. What makes us worry Thursday, December 13, 12 15
  • 16. (Don’t) Blame the Messenger WebSockets still fall victim to “old” threats WebSockets still have interesting things to discuss Thursday, December 13, 12 16
  • 17. Mixed content handling If you can sniff http: you can sniff ws: If you can intercept or inject, you can overtake ws:/ wss: It should be impossible to mix ws: with https: by RFC WebKit doesn’t enforce this Thursday, December 13, 12 17
  • 18. Denial of Service - Client WebSockets connection limit is different than HTTP connection limit Malicious content can exhaust browser by grabbing max. allowed number of WebSocket connections go to http://www.slowhammer.me/now.html with mobile Safari “..Yes, WebSocket is the first way to open an unlimited number of connections to a single server, so it indeed likely needs additional protection to prevent DOS attacks. But we don't really have a way to implement this correctly...” https://bugs.webkit.org/show_bug.cgi?id=32246 Thursday, December 13, 12 18
  • 19. Denial of Service - Server Welcome!er! a t L Malicious content can create large number of WebSocket connections to victim WebSocket server Attacks like SlowLoris strive to maintain persistent connections thus draining server resources. WebSockets are naturally like that Thursday, December 13, 12 19
  • 20. Are Browsers OK? Still no mixed content handling policy implemented by WebKit-based (except Chromium) Firefox still doesn’t let WebWorkers create WebSockets Message sizes handled differently Thursday, December 13, 12 20
  • 21. Fuzzing WS Fuzzing WS data Capturing real life data with JS Fuzzing within a Browser Fuzzing WS frameworks Fuzzing WS handshake Fuzzing WS Headers Thursday, December 13, 12 21
  • 22. Fuzzing WS data with JS var f_replace =''; var f_append =''; WebSocket.prototype._send = WebSocket.prototype.send; WebSocket.prototype.send = function (data) { this._send(data); this.addEventListener('message', function (msg) { }, false); this.send = function (data) { if(f_replace !='') { data = f_replace; } else if( f_append !='') { data = data + f_append; } this._send(data); }; } Thursday, December 13, 12 22
  • 23. Fuzzing Frameworks Getting Crashes (not yet) Fingerprinting frameworks Thursday, December 13, 12 23
  • 24. Fingerprinting WebSocket++ Successful handshake: HTTP/1.1 101 Switching Protocols Connection: Upgrade Sec-WebSocket-Accept: Pzio3NY64M/GFfA/kK4WJpj2xY4= Server: WebSocket++/0.2.0dev Upgrade: websocket Failed handshake: HTTP/1.1 404 Server: WebSocket++/0.2.0dev Thursday, December 13, 12 24
  • 25. Fingerprinting AutobahnPython Successful handshake: HTTP/1.1 101 Switching Protocols Connection: Upgrade Sec-WebSocket-Accept:fKrZviGIoYH4PrDbQ98Nvsbk2cU= Server: AutobahnPython/0.5.9 Upgrade: WebSocket Failed handshake: HTTP/1.1 400 WebSocket version 12 not supported (supported versions: 13,8,0) Sec-WebSocket-Version: 13,8,0 Thursday, December 13, 12 25
  • 26. Fingerprinting Node.JS Successful handshake: HTTP/1.1 101 Switching Protocols Connection: Upgrade Sec-WebSocket-Accept:zSKX8MU5Omx1JXHacSpdN5a4ur4= Upgrade: websocket Failed handshake: HTTP/1.1 426 Upgrade Required Connection: close Sec-WebSocket-Version: 13 X-WebSocket-Reject-Reason: Unsupported websocket client version: 12Only versions 8 and 13 are supported. Thursday, December 13, 12 26
  • 27. Looking for WS Security How to inspect WS traffic How to manipulate WS traffic? Are there browser plugins to help? Are there proxies that support WebSockets? Thursday, December 13, 12 27
  • 28. Tools WireShark Proxies(ZAProxy, Fiddler) Chrome Developer Tools overloaded WebSocket constructor and methods Thursday, December 13, 12 28
  • 29. Wish You Were Here Unawareness of WebSocket protocol by security devices (firewalls, IDS, IPS) makes them ineffective against malicious traffic Masking inhibits identifying patterns in traffic Missing auxiliary data type information makes it even harder Covert channels, command & control Resurrect Loki (Phrack 49) Sources of entropy: reserved flags, length representations, mask Thursday, December 13, 12 29
  • 30. Is there anybody out there? We wrote a QtWebKit-based crawler with overloaded WebSocket ctor; whenever it’s called - we get a record in the DB. As simple as: window._WebSocket = window.WebSocket; window.WebSocket = function(u, p) { cpp_accessible_obj.ws_url = u; cpp_accessible_obj.dumpToDB(); return new window._WebSocket(u, p); } Thursday, December 13, 12 30
  • 31. Not really... Distribution of Alexa Top 600K websites that use WebSockets 100K 200K Ranges of the samples 300K 400K 500K 600K 0 38 75 113 150 WebSocket instances found Thursday, December 13, 12 31
  • 32. Details? 0.15% of websites use WebSockets on landing page. Less than 4% of captured WebSockets are using plain ws: 95% of total WebSockets connect to a single vendor’s customer support chat system among remaining 5%, less than 1% are using encryption Thursday, December 13, 12 32
  • 33. True picture is... Distribution of Alexa Top 600K websites that use WebSockets 100K 200K Ranges of the samples 300K 400K 500K 600K 0 2 4 5 7 WebSocket instances found, excluding CS chat system Thursday, December 13, 12 33
  • 34. What makes them better Thursday, December 13, 12 34
  • 35. Recommendations What it's good for Time critical data delivery Apps that require true bidirectional flow Interactivity Higher throughput Remember, it doesn’t fix existing vulnerabilities Thursday, December 13, 12 35
  • 36. Deploying a Server Capacity planning & measurement to prevent self-inflicted DoS Verify the Origin header As always, assume the client is hostile -- don’t trust it Be careful when implementing the HTTP handshake Create a single-purpose HTTP handler, not a pseudo-web server Thursday, December 13, 12 36
  • 37. Security of the tunneled protocol Beware of decoupling WebSocket session context from the HTTP session context Watch for protocol mistakes using session cookies as chat IDs (visible to the recipient) replay spoofing fragmentation, overlapping fragments server-side buffer overflows, underflows Thursday, December 13, 12 37
  • 38. Remember Security Basics wss: means secure transport, not secure app Authn/Authz Session identifiers Server-side input validation Resource exhaustion Failure states Thursday, December 13, 12 38
  • 39. Summary WebSockets solve connection problems, not security problems. Basic security principles still apply, especially for data frames’ content. “The new port 80” -- security devices have poor (nonexistent!?) awareness of the protocol. Thursday, December 13, 12 39
  • 41. Thank You! Mike @CodexWebSecurum Sergey @sshekyan Vaagn @tukharian Thursday, December 13, 12 41
  • 42. References http://lists.whatwg.org/pipermail/whatwg-whatwg.org/ 2008-June/015108.html http://www.ietf.org/mail-archive/web/tls/current/ msg05593.html http://webtide.intalio.com/2011/09/cometd-2-4-0- websocket-benchmarks/ Thursday, December 13, 12 42
  • 43. Interest in WebSockets? Thursday, December 13, 12 43