Submit Search
Upload
Ihor Bliumental - WebSockets
•
0 likes
•
347 views
OWASP Kyiv
Follow
WebSockets security analysis methods and techniques.
Read less
Read more
Technology
Report
Share
Report
Share
1 of 22
Download now
Download to read offline
Recommended
Web security
Web security
Greater Noida Institute Of Technology
Wap wml
Wap wml
Ankit Anand
IWMW 1998: Server Management (3) Controlling access
IWMW 1998: Server Management (3) Controlling access
IWMW
15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept
Mostafa El Lathy
KILLME NOWITSELF
KILLME NOWITSELF
Shehab Imam
Proxy Presentation
Proxy Presentation
primeteacher32
Virtual Private Networks
Virtual Private Networks
primeteacher32
Proxy
Proxy
Triad Square InfoSec
Recommended
Web security
Web security
Greater Noida Institute Of Technology
Wap wml
Wap wml
Ankit Anand
IWMW 1998: Server Management (3) Controlling access
IWMW 1998: Server Management (3) Controlling access
IWMW
15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept
Mostafa El Lathy
KILLME NOWITSELF
KILLME NOWITSELF
Shehab Imam
Proxy Presentation
Proxy Presentation
primeteacher32
Virtual Private Networks
Virtual Private Networks
primeteacher32
Proxy
Proxy
Triad Square InfoSec
Information Security Systems
Information Security Systems
Eyad Mhanna
020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS
Jackio Kwok
Stable proxies it's type and advantages
Stable proxies it's type and advantages
stableproxies
Introduction to stable proxies.
Introduction to stable proxies.
stableproxies
cryptography security
cryptography security
Zia3130
Web Proxy Server
Web Proxy Server
Mohit Dhankher
Introduce warden
Introduce warden
Hieu Nguyen Trung
12 web security
12 web security
StephenKardian
SignalR
SignalR
Sarvesh Kushwaha
XML Key Management Protocol for Secure Web Service
XML Key Management Protocol for Secure Web Service
Md. Hasan Basri (Angel)
Fundamental of Webserver Hacking, Web Applications and Database Attacks
Fundamental of Webserver Hacking, Web Applications and Database Attacks
UK Defence Cyber School
WT - Firewall & Proxy Server
WT - Firewall & Proxy Server
vinay arora
Proxy Servers & Firewalls
Proxy Servers & Firewalls
Mehdi Poustchi Amin
Introduction to OAuth
Introduction to OAuth
Wei-Tsung Su
Http Proxy Server
Http Proxy Server
Sourav Roy
Api sec demo_updated_v2
Api sec demo_updated_v2
Aravindan A
y3dips hacking priv8 network
y3dips hacking priv8 network
idsecconf
Sqlviking
Sqlviking
Jonn Callahan
Vulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
Computer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptx
ShivamBajaj36
The path of secure software by Katy Anton
The path of secure software by Katy Anton
DevSecCon
HTML5 hacking
HTML5 hacking
Blueinfy Solutions
More Related Content
What's hot
Information Security Systems
Information Security Systems
Eyad Mhanna
020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS
Jackio Kwok
Stable proxies it's type and advantages
Stable proxies it's type and advantages
stableproxies
Introduction to stable proxies.
Introduction to stable proxies.
stableproxies
cryptography security
cryptography security
Zia3130
Web Proxy Server
Web Proxy Server
Mohit Dhankher
Introduce warden
Introduce warden
Hieu Nguyen Trung
12 web security
12 web security
StephenKardian
SignalR
SignalR
Sarvesh Kushwaha
XML Key Management Protocol for Secure Web Service
XML Key Management Protocol for Secure Web Service
Md. Hasan Basri (Angel)
Fundamental of Webserver Hacking, Web Applications and Database Attacks
Fundamental of Webserver Hacking, Web Applications and Database Attacks
UK Defence Cyber School
WT - Firewall & Proxy Server
WT - Firewall & Proxy Server
vinay arora
Proxy Servers & Firewalls
Proxy Servers & Firewalls
Mehdi Poustchi Amin
Introduction to OAuth
Introduction to OAuth
Wei-Tsung Su
Http Proxy Server
Http Proxy Server
Sourav Roy
Api sec demo_updated_v2
Api sec demo_updated_v2
Aravindan A
y3dips hacking priv8 network
y3dips hacking priv8 network
idsecconf
Sqlviking
Sqlviking
Jonn Callahan
What's hot
(18)
Information Security Systems
Information Security Systems
020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS
Stable proxies it's type and advantages
Stable proxies it's type and advantages
Introduction to stable proxies.
Introduction to stable proxies.
cryptography security
cryptography security
Web Proxy Server
Web Proxy Server
Introduce warden
Introduce warden
12 web security
12 web security
SignalR
SignalR
XML Key Management Protocol for Secure Web Service
XML Key Management Protocol for Secure Web Service
Fundamental of Webserver Hacking, Web Applications and Database Attacks
Fundamental of Webserver Hacking, Web Applications and Database Attacks
WT - Firewall & Proxy Server
WT - Firewall & Proxy Server
Proxy Servers & Firewalls
Proxy Servers & Firewalls
Introduction to OAuth
Introduction to OAuth
Http Proxy Server
Http Proxy Server
Api sec demo_updated_v2
Api sec demo_updated_v2
y3dips hacking priv8 network
y3dips hacking priv8 network
Sqlviking
Sqlviking
Similar to Ihor Bliumental - WebSockets
Vulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
Computer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptx
ShivamBajaj36
The path of secure software by Katy Anton
The path of secure software by Katy Anton
DevSecCon
HTML5 hacking
HTML5 hacking
Blueinfy Solutions
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava
WebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
OmprakashVerma56
Protecting Web Services from DDOS Attack
Protecting Web Services from DDOS Attack
Ponraj
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
Conviso Application Security
Spa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
Web Services Hacking and Security
Web Services Hacking and Security
Blueinfy Solutions
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
a
a
Sandeep Kumar
Html5 security
Html5 security
Krishna T
www.webre24h.com - Ajax security
www.webre24h.com - Ajax security
webre24h
Information Security Engineering
Information Security Engineering
Md. Hasan Basri (Angel)
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
Websocket
Websocket
艾鍗科技
DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2
Pratik Khasnabis
Post XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and Remedies
Adwiteeya Agrawal
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESB
WSO2
Similar to Ihor Bliumental - WebSockets
(20)
Vulnerabilities in modern web applications
Vulnerabilities in modern web applications
Computer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptx
The path of secure software by Katy Anton
The path of secure software by Katy Anton
HTML5 hacking
HTML5 hacking
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
WebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
Protecting Web Services from DDOS Attack
Protecting Web Services from DDOS Attack
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
Spa Secure Coding Guide
Spa Secure Coding Guide
Web Services Hacking and Security
Web Services Hacking and Security
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
a
a
Html5 security
Html5 security
www.webre24h.com - Ajax security
www.webre24h.com - Ajax security
Information Security Engineering
Information Security Engineering
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Websocket
Websocket
DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2
Post XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and Remedies
Security Patterns with WSO2 ESB
Security Patterns with WSO2 ESB
More from OWASP Kyiv
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
OWASP Kyiv
Software Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостями
OWASP Kyiv
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv
Threat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat Dragon
OWASP Kyiv
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
OWASP Kyiv
Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101
OWASP Kyiv
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
OWASP Kyiv
Ivan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git Push
OWASP Kyiv
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
OWASP Kyiv
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
OWASP Kyiv
Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?
OWASP Kyiv
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
OWASP Kyiv
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
OWASP Kyiv
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
OWASP Kyiv
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
OWASP Kyiv
Andriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tips
OWASP Kyiv
Vlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All Love
OWASP Kyiv
Volodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya Investigation
OWASP Kyiv
Ihor Bliumental - Collision CORS
Ihor Bliumental - Collision CORS
OWASP Kyiv
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
OWASP Kyiv
More from OWASP Kyiv
(20)
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Software Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостями
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Threat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat Dragon
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Ivan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git Push
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
Andriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tips
Vlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All Love
Volodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya Investigation
Ihor Bliumental - Collision CORS
Ihor Bliumental - Collision CORS
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Recently uploaded
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
Antenna Manufacturer Coco
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
Recently uploaded
(20)
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Ihor Bliumental - WebSockets
1.
Ihor Bliumental OWASP Kyiv
Chapter Lead ihor.bliumental@owasp.org WebSocket security
2.
WebSocket handshake
3.
WebSocket protocol
4.
WebSocket handshake
5.
WebSocket handshake
6.
WebSocket – Javascript API
7.
Authentication
8.
Authorization • An attacker can access the data/functions without authorization • An attacker can access the data/functions which require higher level of authorization •
An attacker can access other same level user's restricted data/functions
9.
Cross Origin Resource Sharing
10.
Cross Origin Resource Sharing
11.
Traffic encryption • All sensitive data should be transferred using TLS (wss://) • TLS should be implemented correctly (no weak ciphers)
12.
Resource Exhaustion • Connection is being kept until client or server close it • An attacker can exhausts all available connections •
Modern clients have limits (e.g. Chrome: 256 total WS connections, 30 per one host; Firefox: 200 total WS connections)
13.
Improper input validation • A1 - Injections (SQLi, Code injections, Template injections, etc.) • A4 - XXE •
A7 - XSS • A8 - Insecure deserialisation
14.
Chrome developer tools
15.
Simple WebSocket Client (FF/Chrome addon)
16.
Burp Suite Community Edition
17.
Burp Suite Pro
18.
Burp Suite Pro
19.
OWASP ZAP
20.
OWASP ZAP
21.
Example
22.
Questions?
Download now