Fuzzing Websockets

Fuzzing Websockets



April 28, 2019


  1. Fuzzing Websockets Rohit Jadav

  2. [~]$ whoami • Security researcher & enthusiast • In InfoSec

    since 2014 • Area of expertise Penetration Testing • Currently working @ Net Square • @54ucyv1p3r
  3. Agenda • What are websockets? • HTTP vs Websockets •

    Difficulties during Websocket pentesting • Fuzzing harness • Using a harness to pentest websockets • Demo
  4. What are websockets?

  5. • WebSocket is a protocol for creating a fast two-way

    channel between a web browser and a server. • WebSocket overcomes limitations with HTTP to allow for low latency communications between a user and a web service.
  6. HTTP vs Websockets http:// ws://

  7. How does HTTP works?? client server Do you have any

    messages? No! No! Now? Now??? Bob sent a message Hello World!! wait wait wait Continue
  8. How does Websockets works?? client server Let me know when

    you have any messages for me. Bob sent a message Hello World!! Continue working
  9. Difficulties during Websocket pentesting oops!

  10. There are many great resources about the basics of how

    Websockets work and how to get started assessing them “manually”. But for a security analyst or a bug bounty hunter, “dynamically” testing the Web Sockets is really hard. Burp Suite Pro, allows users to intercept Websocket messages and manipulate them manually (one at a time), but essential functionality like dynamic scanning is not yet available.
  11. Sample Websocket request and response in Burp

  12. Test Harness

  13. Fuzz Testing • Fuzzer executes the target application repeatedly, each

    time modifying the inbound data to cause hangs, leaks, exceptions, or crashes. • Needs an entry-point executable, or EPE • 2 ways for fuzzing: ◦ Standard Form – Ready to Go - “C:\Windows\System32\notepad.exe c:\someTestFile.txt” ◦ Nonstandard Forms - ????
  14. Non Standard forms are tested using Test Harness • For

    the applications, services, and libraries which do not have a standard EPE, i.e a client-server application. A test harness is used to bridge the gap. • It is a custom executable / script that reads in file data and pipes or otherwise transmits the data to the target data parser so that the fuzzer can test it.
  15. Websocket Test Harness Applying the same idea of Fuzz testing

    we can create a Websocket harness. Requirements: 1. Testing tool (BurpSuite, SQLmap etc) 2. web server on the loopback interface 3. Websocket endpoint Courtesy: VDA Labs https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/
  16. Burp Suite Target WebSocket Application Loopback Server (WS test harness)

    HTTP GET Request WebSocket Request WebSocket Response HTTP Response Courtesy: VDA Labs https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/
  17. Analysis of Test harness

  18. #!/usr/bin/python import socket,ssl from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer from websocket import

    create_connection, WebSocket from urlparse import parse_qs import argparse import os LOOP_BACK_PORT_NUMBER = 8000 def FuzzWebSocket(fuzz_value): print fuzz_value ws.send(ws_message.replace("[FUZZ]", str(fuzz_value[0]))) result = ws.recv() return result def LoadMessage(file): file_contents = "" try: if os.path.isfile(file): f = open(file,'r') file_contents = f.read() f.close() except: print ("Error reading file: %s" % file) exit() return file_contents class myWebServer(BaseHTTPRequestHandler): #Handler for the GET requests def do_GET(self): qs = parse_qs(self.path[2:]) fuzz_value = qs['fuzz'] result = FuzzWebSocket(fuzz_value) self.send_response(200) self.send_header('Content-type','text/html') self.end_headers() self.wfile.write(result) return parser = argparse.ArgumentParser(description='Web Socket Harness: Use traditional tools to assess web sockets') parser.add_argument('-u','--url', help='The remote WebSocket URL to target.',required=True) parser.add_argument('-m','--message', help='A file that contains the WebSocket message template to send. Please place [FUZZ] where injection is desired.',required=True) args = parser.parse_args() ws_message = LoadMessage(args.message) ws = create_connection(args.url,sslopt={"cert_reqs": ssl.CERT_NONE},header={},http_proxy_host="", http_proxy_port=8080) try: #Create a web server and define the handler to manage the #incoming request server = HTTPServer(('', LOOP_BACK_PORT_NUMBER), myWebServer) print 'Started httpserver on port ' , LOOP_BACK_PORT_NUMBER #Wait forever for incoming http requests server.serve_forever() except KeyboardInterrupt: print '^C received, shutting down the web server'
  19. Demo

  20. Thank you!