Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ihor Blum - WebSockets

OWASP Kyiv
March 04, 2018
Technology
0
30

Ihor Blum - WebSockets

OWASP Kyiv

March 04, 2018
Tweet

More Decks by OWASP Kyiv

See All by OWASP Kyiv
Vlad Styran - OWASP Kyiv 2017 Report
owaspkyiv
0
55
Vlada Kulish - Why So Serial?
owaspkyiv
1
53
Roman Borodin - ISC2 & ISACA certification programs first-hand experience
owaspkyiv
0
66
Yevhen Teleshyk - OAuth Phishing
owaspkyiv
0
96
Vlad Styran - Cyber Security Economics 101
owaspkyiv
2
140
Anastasiia Vixentael - Don’t Waste Time on Learning Cryptography: Better Use It Properly
owaspkyiv
0
120
Dima Kovalenko - Modern SSL Pinning
owaspkyiv
0
69
Pavel Radchuk - SAMM: Understanding Agile in Security
owaspkyiv
0
270
Ivan Vyshnevskyi - Not So Quiet git push
owaspkyiv
0
130

Other Decks in Technology

See All in Technology
20240416_devopsdaystokyo
kzkmaeda
1
220
ServiceNow Knowledge Learning Rise up
manarobot
0
200
どうするコスト最適化のトレードオフ
tetsuyaooooo
1
490
EMとして2023年度に頑張ったこと / What we did well in FY2023 as a EM
pauli
1
160
本当のAWS基礎
toru_kubota
0
490
オーナーシップを持つ領域を明確にする
konifar
13
3.1k
推しは推せるときに推せ! プロダクトにフィードバックしていこう
nakasho
0
290
SPI原点回帰論:事業課題とFour Keysの結節点を見出す実践的ソフトウェアプロセス改善 / DevOpsDays Tokyo 2024
visional_engineering_and_design
4
1.9k
ゼロから始めるVue.jsコミュニティ貢献 / first-vuejs-community-contribution-link-and-motivation
lmi
1
110
複雑な構成要素を持つUIとの向き合い方 〜新・支出グラフでの実例〜 / B43 TECH TALK
nakamuuu
0
140
Cracking the KubeCon CfP
inductor
2
230
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
250

Featured

See All Featured
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
Statistics for Hackers
jakevdp
789
220k
Building Applications with DynamoDB
mza
88
5.6k
Producing Creativity
orderedlist
PRO
337
39k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
14
1.5k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
227
16k
Building a Scalable Design System with Sketch
lauravandoore
456
32k
Side Projects
sachag
451
41k
Reflections from 52 weeks, 52 projects
jeffersonlam
345
19k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3k
Building an army of robots
kneath
300
41k

Transcript

  1. Ihor Bliumental OWASP Kyiv Chapter Lead [email protected] WebSocket security

  2. WebSocket handshake

  3. WebSocket protocol

  4. WebSocket handshake

  5. WebSocket handshake

  6. WebSocket – Javascript API

  7. Authentication

  8. Authorization • An attacker can access the data/functions without authorization

    • An attacker can access the data/functions which require higher level of authorization • An attacker can access other same level user's restricted data/functions

  9. Cross Origin Resource Sharing

  10. Cross Origin Resource Sharing

  11. Traffic encryption • All sensitive data should be transferred using

    TLS (wss://) • TLS should be implemented correctly (no weak ciphers)

  12. Resource Exhaustion • Connection is being kept until client or

    server close it • An attacker can exhausts all available connections • Modern clients have limits (e.g. Chrome: 256 total WS connections, 30 per one host; Firefox: 200 total WS connections)

  13. Improper input validation • A1 - Injections (SQLi, Code injections,

    Template injections, etc.) • A4 - XXE • A7 - XSS • A8 - Insecure deserialisation

  14. Chrome developer tools

  15. Simple WebSocket Client (FF/Chrome addon)

  16. Burp Suite Community Edition

  17. Burp Suite Pro

  18. Burp Suite Pro

  19. OWASP ZAP

  20. OWASP ZAP

  21. Example

  22. Questions?