Scribd Logo
Upload

Welcome to Scribd!

  • 240 views

    Hacking With WebSockets

    Uploaded by

    Sony Lazarus
    The WebSocket Protocol enables two-way communication between a client running untrusted code in a controlled environment to a remote host that has opted-in to communications from that code.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Hacking With WebSockets

    Uploaded by

    Sony Lazarus
    240 views43 pages
    The WebSocket Protocol enables two-way communication between a client running untrusted code in a controlled environment to a remote host that has opted-in to communications from that code.

    Original Title

    Hacking with WebSockets

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The WebSocket Protocol enables two-way communication between a client running untrusted code in a controlled environment to a remote host that has opted-in to communications from that code.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    240 views43 pages

    Hacking With WebSockets

    Uploaded by

    Sony Lazarus
    The WebSocket Protocol enables two-way communication between a client running untrusted code in a controlled environment to a remote host that has opted-in to communications from that code.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 43

    Hacking with WebSockets

    Mike Shema
    Sergey Shekyan
    Vaagn Toukharian (got sick last night)
    December 2012
    Thursday, December 13, 12

    A Trip into HTML5


    WebSockets background
    Their appeal to developers
    Their appeal to attackers
    What makes them better
    Thursday, December 13, 12

    HTML4s Crude Solutions


    Forcing persistence on a non-persistent protocol
    ...often at the servers expense of one thread/request
    ...while dealing with the browsers per-domain connection limit
    ...and trying to figure out an efficient polling frequency
    ...just to know when the server has some data ready.
    Thursday, December 13, 12

    Almost WebSockets
    Forcing HTML5 on a non-HTML5 browser
    web-socket-js -- The power of Flashs raw sockets with the
    benefits(?) of Flashs security
    sockjs-client -- Pure JavaScript, choose your poison: long-polling,
    XHR, etc.
    HTML5 Server-Sent Events (http://www.w3.org/TR/eventsource/)
    Properly-implemented long-polling
    Content only flows from server client
    Thursday, December 13, 12

    One Socket, Two Directions


    Yay!

    The WebSocket Protocol enables two-way


    communication between a client running
    untrusted code in a controlled environment to a
    remote host that has opted-in to communications from
    that code.
    Hmm...
    Uh oh
    Thursday, December 13, 12

    - RFC 6455
    5

    Speak to Me
    Protocol
    (RFC 6455)
    Low overhead
    Simple format
    Content agnostic
    HTTP compatible*
    Thursday, December 13, 12

    JavaScript API
    .onmessage()
    .send()
    Data as String,
    Blob,
    ArrayBuffer

    Handshake Challenge
    GET /?encoding=text HTTP/1.1
    Host: echo.websocket.org
    User-Agent: ...
    Connection: Upgrade
    Sec-WebSocket-Version: 13
    Origin: http://www.websocket.org
    Sec-WebSocket-Key: CjYoQD+BXC718rj3aiExxw==

    base64(16 random bytes)


    Thursday, December 13, 12

    Handshake Response
    HTTP/1.1 101 Switching Protocols
    Upgrade: WebSocket
    Proxy might
    remove this!
    Connection: Upgrade
    Sec-WebSocket-Accept: c4RVZSknSoEHizZu6BKl3v
    +xUuI=
    base64(SHA1(challenge + GUID)
    [ then the data frames begin ]

    Thursday, December 13, 12

    HTTP Handshake
    Proves mutual agreement to speak WebSockets
    Not intended to prove either trust or identity
    User Agent should not establish plaintext WebSocket (ws:) from
    secure resource (https:)
    Includes the Origin header
    Must complete before another connection may be established to
    the same origin
    Thursday, December 13, 12

    Data Frame Details


    0
    1
    2
    3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-------+-+-------------+-------------------------------+
    |F|R|R|R| opcode|M| Payload len |
    Extended payload length
    |
    |I|S|S|S| (4) |A|
    (7)
    |
    (16/64)
    |
    |N|V|V|V|
    |S|
    |
    (if payload len==126/127)
    |
    | |1|2|3|
    |K|
    |
    |
    +-+-+-+-+-------+-+-------------+ - - - - - - - - - - - - - - - +
    |
    Extended payload length continued, if payload len == 127 |
    + - - - - - - - - - - - - - - - +-------------------------------+
    |
    |Masking-key, if MASK set to 1 |
    +-------------------------------+-------------------------------+
    | Masking-key (continued)
    |
    Payload Data
    |
    +-------------------------------- - - - - - - - - - - - - - - - +
    :
    Payload Data continued ...
    :
    + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
    |
    Payload Data continued ...
    |
    +---------------------------------------------------------------+
    Thursday, December 13, 12

    10

    Variable Lengths
    Decimal Length (7 bits)

    Variable Length (16- or 64-bit)

    1000000

    n/a

    128

    0111111

    00000001 00000000

    65535

    0111111

    11111111 11111111

    65536

    1111111

    00000000 00000000 1...

    2^64 - 1 1 1 1 1 1 1 1

    11111111 ... 11111111

    19

    1100100

    n/a

    19

    0111111

    11001000 00000000

    19

    1111111

    11001000 00000000 0...

    Thursday, December 13, 12

    11

    src
    dst
    options
    TCP
    sport
    dport
    seq
    ack
    dataofs
    reserved
    flags
    window
    chksum
    urgptr
    options

    10.171.90.44
    174.129.224.73
    []

    Masking Data
    63784
    http
    4216425855
    3939836193
    8L
    0L
    PA
    33304
    0xfac2
    0
    [(NOP, None), ([...]

    f9 28 00 50 fb 51 8d 7f ea d5 21 21 80 18
    82 18 fa c2 00 00 01 01 08 0a c5 4f 2d e2 61 52
    72 98

    32-bit pseudo-random value, XOR byte by byte


    Prevent the browser from being leveraged for cross-protocol attacks, cache poisoning

    WebSocket
    flags
    opcode
    mask flag
    length
    mask
    frame data

    FIN
    text frame
    1L
    37L
    0xbdccefe0
    \xe9\xa4\x8a\x99\[...]

    81 a5 bd cc ef e0 e9 a4 8a 99 9a be 8a c0
    de a3 82 89 d3 ab cf 94 d2 ec 88 85 c9 ec 96 8f
    c8 e0 cf a2 dc be 8d 81 cf ad c1 ce 93

    bd cc ef e0 bd cc ef e0 bd ...
    e9 a4 8a 99 9a be 8a c0 de ...
    T h e y r e
    c
    Thursday, December 13, 12

    12

    Design Choices
    Items transparent to JavaScript API
    User Agents mask data to the server
    Ping & pong frames for connection keep-alive
    User Agent should minimize details for certain kinds of
    connection failures to prevent better host/port scanning

    Thursday, December 13, 12

    13

    Data Frame Security


    The handshake provides the headers to create a security context
    Cookies, CORS, Origin, etc.
    Decoupling this information is dangerous
    0
    1
    2
    3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +---------------------------------------------------------------+
    |
    [ insert your protocol here ]
    |
    +---------------------------------------------------------------+
    |
    It is pitch dark.
    |
    + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
    |
    You are likely to be eaten by a grue.
    |
    +---------------------------------------------------------------+
    Thursday, December 13, 12

    14

    What makes us worry

    Thursday, December 13, 12

    15

    (Dont) Blame the Messenger


    WebSockets still fall victim to old threats
    WebSockets still have interesting things to discuss

    Thursday, December 13, 12

    16

    Mixed content handling


    If you can sniff http: you can sniff ws:
    If you can intercept or inject, you can overtake ws:/
    wss:
    It should be impossible to mix ws: with https: by
    RFC
    WebKit doesnt enforce this

    Thursday, December 13, 12

    17

    Denial of Service - Client


    WebSockets connection limit is different than HTTP connection limit
    Malicious content can exhaust browser by grabbing max. allowed
    number of WebSocket connections
    go to http://www.slowhammer.me/now.html with mobile
    Safari
    ..Yes, WebSocket is the first way to open an unlimited number of connections to a single
    server, so it indeed likely needs additional protection to prevent DOS attacks.
    But we don't really have a way to implement this correctly...
    https://bugs.webkit.org/show_bug.cgi?id=32246

    Thursday, December 13, 12

    18

    Denial of Service - Server


    Welcome!er!
    L

    t
    a

    Malicious content can create large number of WebSocket


    connections to victim WebSocket server
    Attacks like SlowLoris strive to maintain persistent connections
    thus draining server resources. WebSockets are naturally like that

    Thursday, December 13, 12

    19

    Are Browsers OK?


    Still no mixed content handling policy
    implemented by WebKit-based (except Chromium)
    Firefox still doesnt let WebWorkers create WebSockets
    Message sizes handled differently

    Thursday, December 13, 12

    20

    Fuzzing WS
    Fuzzing WS data
    Capturing real life data with JS
    Fuzzing within a Browser
    Fuzzing WS frameworks
    Fuzzing WS handshake
    Fuzzing WS Headers
    Thursday, December 13, 12

    21

    Fuzzing WS data with JS


    var f_replace ='';
    var f_append ='';
    WebSocket.prototype._send =
    WebSocket.prototype.send;
    WebSocket.prototype.send = function (data) {
    this._send(data);
    this.addEventListener('message', function
    (msg) {
    }, false);
    this.send = function (data) {
    if(f_replace !='') {
    data = f_replace;
    } else if( f_append !='') {
    data = data + f_append;
    }
    }

    };

    this._send(data);

    Thursday, December 13, 12

    22

    Fuzzing Frameworks

    Getting Crashes (not yet)


    Fingerprinting frameworks

    Thursday, December 13, 12

    23

    Fingerprinting
    WebSocket++
    Successful handshake:
    HTTP/1.1 101 Switching Protocols
    Connection: Upgrade
    Sec-WebSocket-Accept: Pzio3NY64M/GFfA/kK4WJpj2xY4=
    Server: WebSocket++/0.2.0dev
    Upgrade: websocket
    Failed handshake:
    HTTP/1.1 404
    Server: WebSocket++/0.2.0dev

    Thursday, December 13, 12

    24

    Fingerprinting
    AutobahnPython
    Successful handshake:
    HTTP/1.1 101 Switching Protocols
    Connection: Upgrade
    Sec-WebSocket-Accept:fKrZviGIoYH4PrDbQ98Nvsbk2cU=
    Server: AutobahnPython/0.5.9
    Upgrade: WebSocket
    Failed handshake:
    HTTP/1.1 400 WebSocket version 12 not supported
    (supported versions: 13,8,0)
    Sec-WebSocket-Version: 13,8,0
    Thursday, December 13, 12

    25

    Fingerprinting
    Node.JS
    Successful handshake:
    HTTP/1.1 101 Switching Protocols
    Connection: Upgrade
    Sec-WebSocket-Accept:zSKX8MU5Omx1JXHacSpdN5a4ur4=
    Upgrade: websocket
    Failed handshake:
    HTTP/1.1 426 Upgrade Required
    Connection: close
    Sec-WebSocket-Version: 13
    X-WebSocket-Reject-Reason: Unsupported websocket client
    version: 12Only versions 8 and 13 are supported.
    Thursday, December 13, 12

    26

    Looking for WS Security


    How to inspect WS traffic
    How to manipulate WS traffic?
    Are there browser plugins to help?
    Are there proxies that support WebSockets?
    Thursday, December 13, 12

    27

    Tools
    WireShark
    Proxies(ZAProxy, Fiddler)
    Chrome Developer Tools
    overloaded WebSocket constructor and methods

    Thursday, December 13, 12

    28

    Wish You Were Here


    Unawareness of WebSocket protocol by security devices (firewalls,
    IDS, IPS) makes them ineffective against malicious traffic
    Masking inhibits identifying patterns in traffic
    Missing auxiliary data type information makes it even harder
    Covert channels, command & control
    Resurrect Loki (Phrack 49)
    Sources of entropy: reserved flags, length representations, mask
    Thursday, December 13, 12

    29

    Is there anybody out there?


    We wrote a QtWebKit-based crawler with overloaded
    WebSocket ctor; whenever its called - we get a record in the
    DB. As simple as:
    window._WebSocket = window.WebSocket;
    window.WebSocket = function(u, p) {
    cpp_accessible_obj.ws_url = u;
    cpp_accessible_obj.dumpToDB();
    return new window._WebSocket(u, p);
    }
    Thursday, December 13, 12

    30

    Not really...
    Distribution of Alexa Top 600K websites that use WebSockets

    Ranges of the samples

    100K
    200K
    300K
    400K
    500K
    600K
    0

    38

    75

    113

    150

    WebSocket instances found

    Thursday, December 13, 12

    31

    Details?
    0.15% of websites use WebSockets on
    landing page.
    Less than 4% of captured WebSockets
    are using plain ws:
    95% of total WebSockets connect
    to a single vendors customer
    support chat system
    among remaining 5%, less
    than 1% are using
    encryption

    Thursday, December 13, 12

    32

    True picture is...


    Distribution of Alexa Top 600K websites that use WebSockets

    Ranges of the samples

    100K
    200K
    300K
    400K
    500K
    600K
    0

    WebSocket instances found, excluding CS chat system

    Thursday, December 13, 12

    33

    What makes them


    better
    Thursday, December 13, 12

    34

    Recommendations
    What it's good for
    Time critical data delivery
    Apps that require true bidirectional flow
    Interactivity
    Higher throughput
    Remember, it doesnt fix existing vulnerabilities
    Thursday, December 13, 12

    35

    Deploying a Server
    Capacity planning & measurement to prevent self-inflicted DoS
    Verify the Origin header
    As always, assume the client is hostile -- dont trust it
    Be careful when implementing the HTTP handshake
    Create a single-purpose HTTP handler, not a pseudo-web server

    Thursday, December 13, 12

    36

    Security of the tunneled protocol


    Beware of decoupling WebSocket session context from the HTTP session
    context
    Watch for protocol mistakes
    using session cookies as chat IDs (visible to the recipient)
    replay
    spoofing
    fragmentation, overlapping fragments
    server-side buffer overflows, underflows
    Thursday, December 13, 12

    37

    Remember Security Basics


    wss: means secure transport, not secure app
    Authn/Authz
    Session identifiers
    Server-side input validation
    Resource exhaustion
    Failure states
    Thursday, December 13, 12

    38

    Summary
    WebSockets solve connection problems, not security
    problems.
    Basic security principles still apply, especially for data
    frames content.
    The new port 80 -- security devices have poor
    (nonexistent!?) awareness of the protocol.

    Thursday, December 13, 12

    39

    Q&A

    Thursday, December 13, 12

    40

    Thank You!
    Mike @CodexWebSecurum
    Sergey @sshekyan
    Vaagn @tukharian
    Thursday, December 13, 12

    41

    References
    http://lists.whatwg.org/pipermail/whatwg-whatwg.org/
    2008-June/015108.html
    http://www.ietf.org/mail-archive/web/tls/current/
    msg05593.html
    http://webtide.intalio.com/2011/09/cometd-2-4-0websocket-benchmarks/
    Thursday, December 13, 12

    42

    Interest in WebSockets?

    Thursday, December 13, 12

    43

    You might also like