IMCAFS

Home

safe customer, safe information platform

Posted by deaguero at 2020-03-25
all

Translation: legendervi

Estimated contribution fee: 120RMB

Submission method: send an email to Linwei Chen 360.cn, or log in to the web page for online submission

Socket introduction

A socket is an endpoint in a network communication. Socket is always divided into two parts: an IP address and a port.

For example: when you visit www.securelayer7.net, your computer and the server of the website are communicating using socket (endpoint). The endpoint of the website will be: www.securelayer7.net: 80, the endpoint of your computer will be your IP address, followed by any random port number, such as 192.168.0.111:6574

About websocket

Traditionally, HTTP activities are provided by clients requesting resources and servers. The server cannot talk to the client itself. But this limitation has been eliminated by the new technology websocket.

WebSockets provides a persistent connection, also known as a full duplex connection between the client and the server, which can be used by both parties to start sending data at any time.

How does it work?

A client, such as a browser, loads a web page with websocket capabilities.

The source code of the page is responsible for creating websocket connections.

This script establishes websocket connection through websocket handshake. This process starts with the client sending a regular HTTP request to the server. This request contains the upgrade request header, which informs the server client that it wants to establish a websocket connection.

The request is as follows:

It is worth noting that websocket uses WS as the access scheme instead of HTTP. Therefore, the above request accesses: ws://127.0.0.1:9000 / websocket

If the server supports websocket (for the above request), it will reply with the upgrade request header in its response.

The response is as follows:

At this stage, the protocol will switch from HTTP to WS. And a full duplex connection is established between the browser and the server.

In this example, we have a websocket function that returns all the words sent by the client. For example, if the user types the word "hiii", the server will reply with "hiii".

Request:

Response:

User interface:

Security risks of WebSockets

A. Cross site websocket hijacking

Note the request below. Origin head has different sources 127.0.0.1:5555. The request is sent to the websocket server using the victim's cookie. This means that you can use websocket to send CSRF like attacks.

However, this kind of attack is not only like CSRF sending post data to websocket server, but also reading server response. This is because the websocket server does not check the "origin" header by default, it just uses cookies to check the authenticated user session and send the response back to the "origin" of the request.

Therefore, in the above cases, the attacker can also read the response to control two-way communication on behalf of the victim.

Protection:

Check the "Origin" header of the request. Now, the title is to prevent cross-source attacks. If origin is not trusted, simply decline the request. For example, if the domain name of your website is www.example.com, check if the request originated from that source, and if so, process the request. If not, reject.

Another solution is to use session based personal random tokens (like CSRF tokens). Build the server side and put them in the client's hidden fields. And require verification.

B. Network sensitive information disclosure

Just as HTTP is a plain text protocol, WebSockets is also known as plain text. This causes the attacker to capture and modify traffic on the network.

Protection:

Encrypted (TLS) WebSockets connections are recommended. Its URI scheme is WSS: / /. The default port is 443.

As shown below, access to WS: / / 127.0.0.1:900 / websocket / is requested. If it is a secure connection, the request will access WSS: / / 127.0.0.1:900 / websocket /.

C. Denial of service

By default, WebSockets allow unlimited connections leading to DOS. Here is a small script for connecting to the websocket server indefinitely.

After executing this script, let's look at the websocket server log:

As we can see, 475 connections have been completed in a few seconds. This will run out of server resources and eventually lead to DOS attacks.

Protection:

Using IP based rate limiting will help solve this problem.

The rate limit shall allow 5-10 connections to be free, i.e. without any safety checks. However, after 10 connections, if the same IP attempts to connect, the authentication code should be displayed to the user to ensure that the automation tool will not generate malicious requests, and the legitimate user will not be denied services.

conclusion

WebSockets are ideal for full duplex communication, with many chat applications and social networking sites. Implementing WebSockets makes applications more available and attractive. But like any other technology, it needs to be used with security in mind.

Reference

Demo code from: https://github.com/ghedipunk/php-websockets

About WebSockets: https://developer.mozilla.org/en-us/docs/web/api/websockets'api/writing'websocket'client'applications

Security risks: https://www.owasp.org/index.php/testing_websockets_ (otg-client-010)