Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WebSocket security

Ihor Bliumental
November 18, 2017
Technology
1
130

WebSocket security

Slides of my talk at OWASP Lviv 2017 conference, Nov 18, 2017.
http://owasp-lviv.blogspot.nl/2017/11/owasp-ukraine-2017-lviv-security.html

Ihor Bliumental

November 18, 2017
Tweet

Other Decks in Technology

See All in Technology
トレードオフスライダーにおける品質について考えてみた
suzuki_tada
3
180
サービスローンチを成功させろ! 〜SREが教える30日間の攻略ガイド〜
mmmatsuda
2
4.4k
Autify Company Deck
autifyhq
2
41k
例外処理を理解して、設計段階からエラーを「見つけやすく」「起こりにくく」する
kajitack
12
3.8k
あなたはJVMの気持ちを理解できるか?
skrb
5
2k
バクラクの組織とアーキテクチャ(要約)2025/01版
shkomine
13
3k
パブリッククラウドのプロダクトマネジメントとアーキテクト
tagomoris
4
770
ココナラのセキュリティ組織の体制・役割・今後目指す世界
coconala_engineer
0
220
生成AIを活用した機能を、顧客に提供するまでに乗り越えた『4つの壁』
toshiblues
1
210
カスタムインストラクションでGitHub Copilotをカスタマイズ!
07jp27
6
520
教師なし学習の基礎
kanojikajino
4
360
HCP TerraformとAzure:イオンスマートテクノロジーのインフラ革新 / HCP Terraform and Azure AEON Smart Technology's Infrastructure Innovation
aeonpeople
3
990

Featured

See All Featured
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
11
900
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
132
33k
Making Projects Easy
brettharned
116
6k
Visualization
eitanlees
146
15k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
44
9.4k
Music & Morning Musume
bryan
46
6.3k
Done Done
chrislema
182
16k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
113
50k
Bash Introduction
62gerente
610
210k
The Art of Programming - Codeland 2020
erikaheidi
53
13k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
52k

Transcript

  1. Ihor Bliumental OWASP Kyiv Chapter Lead [email protected] WebSocket security

  2. WebSocket handshake

  3. WebSocket protocol

  4. WebSocket handshake

  5. WebSocket handshake

  6. WebSocket – Javascript API

  7. Authentication

  8. Authorization • An attacker can access the data/functions without authorization

    • An attacker can access the data/functions which require higher level of authorization • An attacker can access other same level user's restricted data/functions

  9. Cross Origin Resource Sharing

  10. Cross Origin Resource Sharing

  11. Traffic encryption • All sensitive data should be transferred using

    TLS (wss://) • TLS should be implemented correctly (no weak ciphers)

  12. Resource Exhaustion • Connection is being kept until client or

    server close it • An attacker can exhausts all available connections • Modern clients have limits (e.g. Chrome: 256 total WS connections, 30 per one host; Firefox: 200 total WS connections)

  13. Improper input validation • A1 - Injections (SQLi, Code injections,

    Template injections, etc.) • A4 - XXE • A7 - XSS • A8 - Insecure deserialisation

  14. Chrome developer tools

  15. Simple WebSocket Client (FF/Chrome addon)

  16. Burp Suite Community Edition

  17. Burp Suite Pro

  18. Burp Suite Pro

  19. OWASP ZAP

  20. OWASP ZAP

  21. Example

  22. Questions?