Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ihor Blum - WebSockets

Ihor Blum - WebSockets

28e7d7d55dc88f37db36bfb2f24c6310?s=128

OWASP Kyiv

March 04, 2018
Tweet

Transcript

  1. Ihor Bliumental OWASP Kyiv Chapter Lead ihor.bliumental@owasp.org WebSocket security

  2. WebSocket handshake

  3. WebSocket protocol

  4. WebSocket handshake

  5. WebSocket handshake

  6. WebSocket – Javascript API

  7. Authentication

  8. Authorization • An attacker can access the data/functions without authorization

    • An attacker can access the data/functions which require higher level of authorization • An attacker can access other same level user's restricted data/functions
  9. Cross Origin Resource Sharing

  10. Cross Origin Resource Sharing

  11. Traffic encryption • All sensitive data should be transferred using

    TLS (wss://) • TLS should be implemented correctly (no weak ciphers)
  12. Resource Exhaustion • Connection is being kept until client or

    server close it • An attacker can exhausts all available connections • Modern clients have limits (e.g. Chrome: 256 total WS connections, 30 per one host; Firefox: 200 total WS connections)
  13. Improper input validation • A1 - Injections (SQLi, Code injections,

    Template injections, etc.) • A4 - XXE • A7 - XSS • A8 - Insecure deserialisation
  14. Chrome developer tools

  15. Simple WebSocket Client (FF/Chrome addon)

  16. Burp Suite Community Edition

  17. Burp Suite Pro

  18. Burp Suite Pro

  19. OWASP ZAP

  20. OWASP ZAP

  21. Example

  22. Questions?