Web sockets - Pentesting

1. WEBSOCKETS
A QUICK TOUR

2. ABOUT ME
NEHA BAHETY
PENETRATION TESTER & ETHICAL HACKER

3. WHAT IS THIS
TALK ABOUT?
What are WebSockets?
Why do we need them?
How do we use them?
Tools used for WebSocket Pentesting.
List of Vulnerabilities
What limitations do they have

4. WHAT ARE
WEBSOCKETS?
WEBSOCKET IS A TECHNOLOGY FOR PROVIDING BI-DIRECTIONAL FULL DUPLEX
COMMUNICATION CHANNELS OVER A SINGLE TCP SOCKET.

5. SIMPLE
DEFINITION.
IT’S A NEW FEATURE IN HTML5 THAT LET
YOU STREAM DATA TO AND FROM WEB
BROWSERS.

7. SOME MORE
INFORMATIO
N ABOUT
WEB_SOCKET

8. WEB_SOCKET
HANDSHAKE

9. WHY DO WE NEED WEBSOCKETS??
• 1-WebSocket is a naturally full-duplex, bidirectional, single-socket connection. With WebSocket,
your HTTP request becomes a single request to open a WebSocket connection and reuses the
same connection from the client to the server, and the server to the client.
• 2-WebSocket reduces latency. For example, unlike polling, WebSocket makes a single request.
The server does not need to wait for a request from the client. Similarly, the client can send
messages to the server at any time. This single request greatly reduces latency over polling,
which sends a request at intervals, regardless of whether messages are available.
• 3-WebSocket makes real-time communication much more efficient. You can always use polling
(and sometimes even streaming) over HTTP to receive notifications over HTTP. However,
WebSocket saves bandwidth, CPU power, and latency. WebSocket is an innovation in
performance

11. SOME MORE USAGE :
• WebSocket is an underlying network protocol that enables you to build other
standard protocols on top of it.
• WebSocket is part of an effort to provide advanced capabilities to HTML5
applications in order to compete with other platforms.
• WebSocket is about Simplicity

12. HOW DO WE USE THEM???
• What all things required:
Webkit: Chrome, Safari(Work on ios)
Client Javascript API
 Server-Side API

15. TOOLS USED
• Burp can proxy WebSocket Traffic
• OWASP ZAP can Proxy and fuzz WebSocket Traffic
• Chrome offers a Web Socket client and developer tools(F12)
**During Mapping phase look for ws:// or wss://
** Both Ruby and python support websocket client and servers.

16. LIST OF VULNERABILITIES
WebSockets have been a source of interesting vulnerabilities
Apache, Wireshark, Chrome, OpenStack, MessageSight, Firefox, Drupal, Ansible
Tower, and others
Denial of service, remote code execution, sandbox bypass, and authorization
bypass
• CVE-2014-0193, CVE-2014-0921, CVE-2014-0922, CVE-2014-1703, CVE-2014-
3165, CVE-2014-3429, CVE-2015-0176, CVE-2015-0228, CVE-2015-0259, CVE-
2015-1244, CVE-2015-1482, CVE-2015-3810, CVE-2015-7197, and CVE-2015-8601

17. LIMITATIONS
ANY GUESSESS???

18. BIG ONE’S
• Not all Browsers support them:
Firefox 4, IE9,Opera
• WebSockets need maintenance and care:
Re-open connif network timeout
Back off if server is down
 Keep Alive if your connection times out
Buffer and resends the message in above cases
• Many libraries – including the most popular Ruby one

19. ATTACKER’S VIEW OF WEBSOCKET
• This is a relatively new area of security research New technologies create challenges
for defenders
• Protocol use might not be properly monitored
• Defenders might not even know it is there! Attackers can leverage WebSockets to
• attack server side
• attack client side
• attack parsers
• bypass filtering

20. REFERENCES
• https://tools.ietf.org/html/rfc6455
• https://blog.sessionstack.com/how-javascript-works-deep-dive-into-websockets-
and-http-2-with-sse-how-to-pick-the-right-path-584e6b8e3bf7
• https://media.blackhat.com/bh-us-
12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.
pdf
• https://github.com/interference-security/DVWS
• https://github.com/tssoffsec/docker-dvwsocket