Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WebSocket security

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Ihor Bliumental Ihor Bliumental
November 18, 2017
Technology
1
130

WebSocket security

Slides of my talk at OWASP Lviv 2017 conference, Nov 18, 2017.
http://owasp-lviv.blogspot.nl/2017/11/owasp-ukraine-2017-lviv-security.html

Avatar for Ihor Bliumental

Ihor Bliumental

November 18, 2017
Tweet

Other Decks in Technology

See All in Technology
Sansan Engineering Unit 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
1
3.8k
生成AI時代にこそ求められるSRE / SRE for Gen AI era
Avatar for ymotongpoo ymotongpoo
5
2.6k
広告の効果検証を題材にした因果推論の精度検証について
Avatar for ZOZO Developers zozotech
PRO
0
110
データ民主化のための LLM 活用状況と課題紹介(IVRy の場合)
Avatar for 和田 悠佑 wxyzzz
2
660
GitHub Issue Templates + Coding Agentで簡単みんなでIaC/Easy IaC for Everyone with GitHub Issue Templates + Coding Agent
Avatar for AEON aeonpeople
1
170
Data Hubグループ 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
2.7k
Deno・Bunの標準機能やElysiaJSを使ったWebSocketサーバー実装 / ラーメン屋を貸し切ってLT会! IoTLT 2026新年会
Avatar for you(@youtoy) you
PRO
0
290
モダンUIでフルサーバーレスなAIエージェントをAmplifyとCDKでサクッとデプロイしよう
Avatar for みのるん minorun365
2
130
AIと新時代を切り拓く。これからのSREとメルカリIBISの挑戦
Avatar for ktykogm 0gm
0
730
usermode linux without MMU - fosdem2026 kernel devroom
Avatar for Hajime Tazaki thehajime
0
210
仕様書駆動AI開発の実践: Issue→Skill→PRテンプレで 再現性を作る
Avatar for 西岡 賢一郎 (Kenichiro Nishioka) knishioka
2
590
GitLab Duo Agent Platform × AGENTS.md で実現するSpec-Driven Development / GitLab Duo Agent Platform × AGENTS.md
Avatar for Niishi Kubo n11sh1
0
120

Featured

See All Featured
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
27k
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
6k
Breaking role norms: Why Content Design is so much more than writing copy - Taylor Woolridge
Avatar for UX Y'all uxyall
0
160
What's in a price? How to price your products and services
Avatar for Michael Herold michaelherold
247
13k
GraphQLとの向き合い方2022年版
Avatar for Yosuke Kurami quramy
50
14k
The Cost Of JavaScript in 2023
Avatar for Addy Osmani addyosmani
55
9.5k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
Avatar for Joe Casabona jcasabona
34
2.6k
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
135
9.7k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
PRO
196
71k
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
32
2.8k
Game over? The fight for quality and originality in the time of robots
Avatar for Wayne Barker wayneb77
1
110
End of SEO as We Know It (SMX Advanced Version)
Avatar for Michael King ipullrank
3
3.9k

Transcript

  1. Ihor Bliumental OWASP Kyiv Chapter Lead [email protected] WebSocket security

  2. WebSocket handshake

  3. WebSocket protocol

  4. WebSocket handshake

  5. WebSocket handshake

  6. WebSocket – Javascript API

  7. Authentication

  8. Authorization • An attacker can access the data/functions without authorization

    • An attacker can access the data/functions which require higher level of authorization • An attacker can access other same level user's restricted data/functions

  9. Cross Origin Resource Sharing

  10. Cross Origin Resource Sharing

  11. Traffic encryption • All sensitive data should be transferred using

    TLS (wss://) • TLS should be implemented correctly (no weak ciphers)

  12. Resource Exhaustion • Connection is being kept until client or

    server close it • An attacker can exhausts all available connections • Modern clients have limits (e.g. Chrome: 256 total WS connections, 30 per one host; Firefox: 200 total WS connections)

  13. Improper input validation • A1 - Injections (SQLi, Code injections,

    Template injections, etc.) • A4 - XXE • A7 - XSS • A8 - Insecure deserialisation

  14. Chrome developer tools

  15. Simple WebSocket Client (FF/Chrome addon)

  16. Burp Suite Community Edition

  17. Burp Suite Pro

  18. Burp Suite Pro

  19. OWASP ZAP

  20. OWASP ZAP

  21. Example

  22. Questions?