what s wrong with websocket apis
play

Whats wrong with WebSocket APIs? Unveiling vulnerabilities in - PowerPoint PPT Presentation

Jul 10, 2023 •313 likes •989 views

Whats wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs Mikhail Egorov / @0ang3el #DeepSec2019 # whoami Security researcher / full-time bug hunter https://bugcrowd.com/0ang3el https://hackerone.com/0ang3el

  1. What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs Mikhail Egorov / @0ang3el #DeepSec2019

  2. # whoami ▪ Security researcher / full-time bug hunter ▪ https://bugcrowd.com/0ang3el ▪ https://hackerone.com/0ang3el ▪ Conference speaker ▪ https://www.slideshare.net/0ang3el ▪ https://speakerdeck.com/0ang3el 2

  3. Previous work ▪ https://media.blackhat.com/bh-us- 12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides .pdf ▪ https://www.nccgroup.trust/us/about-us/newsroom-and- events/blog/2017/may/wssip-a-websocket-manipulation-proxy/ ▪ https://chybeta.github.io/2018/04/07/spring-messaging-Remote-Code-Execution- %E5%88%86%E6%9E%90-%E3%80%90CVE-2018-1270%E3%80%91/ ▪ https://www.twistlock.com/labs-blog/demystifying-kubernetes-cve-2018-1002105- dead-simple-exploit/ ▪ https://github.com/andresriancho/websocket-fuzzer ▪ https://www.irongeek.com/i.php?page=videos/derbycon9/stable-35-old-tools-new- tricks-hacking-websockets-michael-fowl-nick-defoe 3

  4. WebSocket protocol essentials 4

  5. WebSocket protocol – RFC 6455 ▪ Efficient two-way communication protocol ▪ WebSocket is stateful (HTTP is stateless) ▪ Two main parts: handshake and data transfer 5

  6. WebSocket protocol – RFC 6455 ▪ Extensibility: subprotocols and extensions ▪ Subprotocols ▪ https://www.iana.org/assignments/websocket/websocket.xml#subpro tocol-name ▪ Wamp ▪ Stomp ▪ Soap ▪ … 6

  7. WebSocket protocol – RFC 6455 ▪ Extensibility: subprotocols and extensions ▪ Extensions ▪ https://www.iana.org/assignments/websocket/websocket.xml#extens ion-name ▪ permessage-deflate ▪ bbf-usp-protocol 7

  8. WebSocket protocol – RFC 6455 ▪ Origin-based security model (Browser clients) ▪ No authentication ▪ Client must do client-to-server masking 8

  9. WebSocket protocol support ▪ Major web browsers ▪ Web servers / Proxies ▪ Apache httpd, Nginx, IIS, … ▪ HAProxy, Traefik, Varnish, Envoy, … ▪ Cloud providers ▪ WebSocket API (api gateways) ▪ WebSocket proxying (load balancers) 9

  10. WebSocket handshake over HTTP/1.1 Required HTTP version Protocol version Base64(Random nonce) Upgrade request 10

  11. WebSocket handshake over HTTP/1.1 Required status code BASE64(SHA1(Sec-WebSocket-Key || CONST )) 11

  12. WebSocket data transfer \x00 – continuation frame \x01 – text frame \x02 – binary frame \x08 – close frame \x09 – ping \x0A – pong other values are reserved 12

  13. WebSocket data transfer - masking ▪ Masking key is 32-bit long passed inside frame ▪ Client must send masked data ▪ MASKED = MASK ^ DATA (^ - XOR) ▪ Mechanism protects against cache poisoning and smuggling attacks 13

  14. WebSocket protocol and HTTP/2 ▪ RFC 8441 ▪ Bootstrapping WebSocket with HTTP/2 ▪ Not yet widely supported by proxies / web servers ▪ nghttp2 - https://github.com/nghttp2/nghttp2 14

  15. WebSocket handshake over HTTP/2 SETTINGS_ENABLE_CONNECT_PROTOCOL 15

  16. WebSocket handshake over HTTP/2 HTTP method Protocol name WebSocket version 16

  17. WebSocket handshake over HTTP/2 Required status code 17

  18. Cross-Site WebSocket Hijacking 18

  19. WebSocket security for Web Browser ▪ SOP doesn’t work for WebSocket in web browser ▪ Read from WebSocket cross-origin ▪ Write to WebSocket cross-origin ▪ Header Origin should be checked on handshake step (origin-based security model) 19

  20. CSWSH ▪ Cookies are used to authenticate upgrade request ▪ Header Origin isn’t checked or checked poorly 20

  21. CSWSH ▪ CORS tricks from @albinowax are applicable to WebSocket ▪ https://portswigger.net/research/exploiting-cors-misconfigurations- for-bitcoins-and-bounties ▪ Null origin ▪ Pre-domain wildcard ▪ Post-domain wildcard ▪ … 21

  22. CSWSH – Null origin ▪ nullorigin.html <iframe src="data:text/html, <script>const socket = new WebSocket('wss://example.com'); </script>"></iframe> 22

  23. CSWSH ▪ Playground ▪ https://portswigger.net/web-security/websockets/cross-site- websocket-hijacking 23

  24. CSWSH – template for attack 5

  25. Demo 5

  26. Authentication / IDOR issues 26

  27. Authentication ▪ WebSocket protocol doesn’t offer authentication ▪ Developers have to roll out their own AuthN ▪ It’s secure to check AuthN only during handshake ▪ Common secure implementations ▪ Session cookies ▪ Tokens 27

  28. Broken authentication – Case 1 ▪ Some ID / GUID is required in Upgrade request ▪ Guess ID ▪ Leak GUID (minor IDOR, … ) 28

  29. Broken authentication – Case 2 ▪ No authentication during handshake step ▪ Some ID / GUID required in API messages ▪ Guess ID ▪ Leak GUID (minor IDOR, … ) 29

  30. Broken authentication – Case 2 ▪ Exposing GraphQL subscriptions w/o AuthN ▪ https://github.com/righettod/poc-graphql#subscriptions- websocket-endpoint-default-enabling ▪ Path /subscriptions 30

  31. Insecure Direct Object Reference issues ▪ Strong authentication during handshake step ▪ Some ID / GUID required in API messages ▪ Guess ID ▪ Leak GUID (minor IDOR, … ) 31

  32. Smuggling through WebSocket 32

  33. Reverse proxying WebSocket connection Client Backend /socket.io/ Frontend Public WebSocket API Reverse proxy 33

  34. Reverse proxying WebSocket connection Upgrade request Upgrade request Client Backend /socket.io/ Frontend Reverse proxy 34

  35. Reverse proxying WebSocket connection Upgrade request Upgrade request Client Backend HTTP/1.1 101 HTTP/1.1 101 /socket.io/ Frontend Reverse proxy 35

  36. Reverse proxying WebSocket connection Upgrade request Upgrade request Client Backend HTTP/1.1 101 HTTP/1.1 101 /socket.io/ WebSocket connection Frontend direct WebSocket connection Reverse proxy Client - Backend 36

  37. Smuggling through WebSocket connection Private REST API /internal Client Backend /socket.io/ Frontend Public WebSocket API Reverse proxy (vulnerable) 37

  38. Smuggling through WebSocket connection Version correctness isn’t checked! Upgrade request Upgrade request Sec-WebSocket-Version: 1337 Sec-WebSocket-Version: 1337 /internal Client Backend /socket.io/ Frontend Reverse proxy (vulnerable) 38

  39. Smuggling through WebSocket connection Response correctness isn’t checked! Upgrade request Upgrade request Sec-WebSocket-Version: 1337 Sec-WebSocket-Version: 1337 /internal Client Backend HTTP/1.1 426 HTTP/1.1 426 /socket.io/ Frontend Reverse proxy (vulnerable) 39

  40. Smuggling through WebSocket connection Upgrade request Upgrade request Sec-WebSocket-Version: 1337 Sec-WebSocket-Version: 1337 /internal Client Backend HTTP/1.1 426 HTTP/1.1 426 /socket.io/ TLS connection Frontend direct TLS connection Reverse proxy Client – Backend Client can access (vulnerable) not WebSocket!!! /internal 40

  41. Challenge – challenge.0ang3el.tk ▪ URL ▪ https://challenge.0ang3el.tk/websocket.html ▪ You need to access flag on localhost:5000 ▪ Seems no one solved 41

  42. Challenge – challenge.0ang3el.tk ▪ Frontend ▪ Not disclosed WebSocket reverse proxy ▪ socket.io.js ▪ Proxies only WebSocket API - /socket.io/ path ▪ Backend ▪ Flask, Flask-SoketIO, Flask-Restful ▪ Listens on localhost:5000 only 42

  43. challenge1.py

  44. challenge1.py - DEMO

  45. Vulnerable reverse proxies ▪ Vulnerable ▪ Varnish, Envoy proxy <= 1.8.0, other non-disclosed ▪ Not vulnerable ▪ Nginx, HAProxy, Traefik, others 45

  46. Varnish response ▪ WebSocket proxying configuration ▪ https://varnish-cache.org/docs/6.3/users-guide/vcl-example- websockets.html 46

  47. Smuggling through WebSocket connection Private REST API /internal Backend Client /api/socket.io/ /api/health Frontend Public WebSocket API & REST API Reverse proxy (Nginx or another) 47

  48. Smuggling through WebSocket connection /internal Backend Client /api/socket.io/ /api/health GET Frontend HTTP/1.1 200 Reverse proxy (Nginx or another) example.com 48

  49. Smuggling through WebSocket connection Only Upgrade: websocket header is checked! POST /api/health?u= POST /api/health?u= /internal Backend Client /api/socket.io/ /api/health Frontend Reverse proxy (Nginx or another) 49

  50. Smuggling through WebSocket connection Only status code is checked for response! POST /api/health?u= POST /api/health?u= /internal Backend Client HTTP/1.1 101 HTTP/1.1 101 /api/socket.io/ /api/health GET Frontend HTTP/1.1 101 Reverse proxy (Nginx or another) attacker.com 50

  51. Smuggling through WebSocket connection POST /api/health?u= POST /api/health?u= /internal Backend Client HTTP/1.1 101 HTTP/1.1 101 /api/socket.io/ /api/health TLS connection Frontend direct TLS connection Reverse proxy Client – Backend Client-to-Server Client can access (Nginx or another) not WebSocket!!! masking isn’t checked /internal by proxy!!! 51

  52. Challenge2 – challenge2.0ang3el.tk ▪ URL ▪ https://challenge2.0ang3el.tk/websocket.html ▪ You need to access flag on localhost:5000 ▪ Seems no one solved 52

  53. Challenge2 – challenge2.0ang3el.tk ▪ Frontend ▪ Nginx as WebSocket reverse proxy ▪ socket.io.js ▪ Proxies only /api/public path ( socket.io and healthcheck ) ▪ Backend ▪ Flask, Flask-SoketIO, Flask-Restful ▪ Listens on localhost:5000 only 53

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Kaazing Gateway: An Open Source HTML 5 Websocket Server HTML 5 Websocket Server Speaker

Kaazing Gateway: An Open Source HTML 5 Websocket Server HTML 5 Websocket Server Speaker

Kaazing Gateway: An Open Source HTML 5 Websocket Server HTML 5 Websocket Server Speaker Jonas Jacobi Co-Founder: Kaazing Co-Author: Pro JSF and Ajax, Apress Agenda Real-Time Web? Why Do I Care? Scalability and

751 views • 38 slides
Web Sockets WebSockets Last time we say how to establish a WebSocket connection Today,

Web Sockets WebSockets Last time we say how to establish a WebSocket connection Today,

Web Sockets WebSockets Last time we say how to establish a WebSocket connection Today, we'll parse and send messages over the socket WebSocket Frame https://tools.ietf.org/html/rfc6455#section-5.2 Protocols Sidenote Many of the

469 views • 27 slides
WebSocket Slide title APITALS 50 pt e subtitle 32 pt Salvatore.Loreto@ericsson.com November

WebSocket Slide title APITALS 50 pt e subtitle 32 pt Salvatore.Loreto@ericsson.com November

WebSocket Slide title APITALS 50 pt e subtitle 32 pt Salvatore.Loreto@ericsson.com November 3rd, 2009 WebSocket Defines full-duplex communications using a single TCP connection (compared to Comet technologies) It is a mechanism for

571 views • 13 slides
Web Technologies in Java EE JAX-RS 2.0, JSON-P, WebSocket, JSF 2.2 $ whoami Luk Fry

Web Technologies in Java EE JAX-RS 2.0, JSON-P, WebSocket, JSF 2.2 $ whoami Luk Fry

Web Technologies in Java EE JAX-RS 2.0, JSON-P, WebSocket, JSF 2.2 $ whoami Luk Fry Software Engineer, JBoss, Red Hat AeroGear, (Arquillian, RichFaces) Interests HTML5, Web Components, AngularJS Living and

1.17k views • 83 slides
WebSocket Server Implementation Chao-Wei Peng HTTP Request Model Service Http Client Http

WebSocket Server Implementation Chao-Wei Peng HTTP Request Model Service Http Client Http

WebSocket Server Implementation Chao-Wei Peng HTTP Request Model Service Http Client Http Server Thread Waiting Http Request Run Service Http Response HTTP Weakness Server sends response only if someone requests it. WebSocket Protocol

274 views • 11 slides
Semi-Automa+cally Modeling Web APIs to Create Linked APIs

Semi-Automa+cally Modeling Web APIs to Create Linked APIs

Semi-Automa+cally Modeling Web APIs to Create Linked APIs Mohsen Taheriyan, Craig A. Knoblock, Pedro Szekely, and Jose Luis Ambite USC Information

321 views • 28 slides
AM-2 NIE API Gateway in NIE Who uses the APIs now and how is the adoption rate? The APIs are used

AM-2 NIE API Gateway in NIE Who uses the APIs now and how is the adoption rate? The APIs are used

AM-2 NIE API Gateway in NIE Who uses the APIs now and how is the adoption rate? The APIs are used by our faculty, our corporate mobile app users, corporate systems and students, the adoption rate is growing healthy at a steady rate. We are moving

452 views • 17 slides
APIs: Overdue or Overhyped? The Promise of APIs to Drive Interoperability Todays Speakers 2

APIs: Overdue or Overhyped? The Promise of APIs to Drive Interoperability Todays Speakers 2

1 APIs: Overdue or Overhyped? The Promise of APIs to Drive Interoperability Todays Speakers 2 Micky Tripathi Ryan Howells Kristen Valdes President &amp; CEO Principal Founder &amp; CEO Massachusetts eHealth Collaborative Leavitt

276 views • 8 slides
The WebSocket Protocol IETF 80 HyBi WG Takeshi Yoshino tyoshino at google dot com Background

The WebSocket Protocol IETF 80 HyBi WG Takeshi Yoshino tyoshino at google dot com Background

The WebSocket Protocol IETF 80 HyBi WG Takeshi Yoshino tyoshino at google dot com Background Evolution of web apps Dynamic and real-time application Webmail, Chat, word processing, etc. HTTP is not designed for web apps Large

450 views • 40 slides
The current state of banking APIs Open APIs are high priority for financial institutions What are

The current state of banking APIs Open APIs are high priority for financial institutions What are

The current state of banking APIs Open APIs are high priority for financial institutions What are banks doing about it? How important are Open APIs to banks? 2 http://www.briansolis.com/2016/12/top-10-retail-banking-trends-predictions-2017/

449 views • 20 slides
Defences Structure of the Courts What is a Crime? a public wrong Wrong committed

Defences Structure of the Courts What is a Crime? a public wrong Wrong committed

Defences Structure of the Courts What is a Crime? a public wrong Wrong committed against the common good or public interest causes harm to society, not just the individual 3 features that make something a public wrong:

474 views • 25 slides
The realtime web: HTTP/1.1 to WebSocket, SPDY and beyond Guillermo Rauch @ QCon . November 2012.

The realtime web: HTTP/1.1 to WebSocket, SPDY and beyond Guillermo Rauch @ QCon . November 2012.

The realtime web: HTTP/1.1 to WebSocket, SPDY and beyond Guillermo Rauch @ QCon . November 2012. Guillermo . CTO and co-founder at LearnBoost . Creator of socket.io and engine.io . @ rauchg on twitter http:// devthought.com Author of Wileys

1.41k views • 105 slides
STOR 390: APIs Marshall Markham Overview Intro to APIs Concept Steps to URI API Usage

STOR 390: APIs Marshall Markham Overview Intro to APIs Concept Steps to URI API Usage

STOR 390: APIs Marshall Markham Overview Intro to APIs Concept Steps to URI API Usage Google Maps Exercise What is an API API stands for Application Programming Interface Any body of code meant to be used by outside

476 views • 15 slides
www.pdl.cmu.edu/posix/ December 14, 2005 APIs for HPC IO POSIX IO APIs (open, close, read,

www.pdl.cmu.edu/posix/ December 14, 2005 APIs for HPC IO POSIX IO APIs (open, close, read,

POSIX I/O High Performance Computing Extensions Brent Welch (Speaker) Panasas www.pdl.cmu.edu/posix/ December 14, 2005 APIs for HPC IO POSIX IO APIs (open, close, read, write, stat) have semantics that can make it hard to achieve high

674 views • 24 slides
Part 3 Terroir is fragile Can be lost through: High yields Wrong grape varieties in wrong place

Part 3 Terroir is fragile Can be lost through: High yields Wrong grape varieties in wrong place

Part 3 Terroir is fragile Can be lost through: High yields Wrong grape varieties in wrong place Picking too late (a common problem) Poor work in the winery (e.g. too much oak, wrong sort of oak, Brettanomyces, oxidation) The Natural Wine

469 views • 20 slides
HTML 5 WebSocket delivers the Real-time Web QCon, San Francisco November 18, 2009 1

HTML 5 WebSocket delivers the Real-time Web QCon, San Francisco November 18, 2009 1

HTML 5 WebSocket delivers the Real-time Web QCon, San Francisco November 18, 2009 1 Introduction John Fallows CTO @ Kaazing Author @ Pro JSF &amp; Ajax Contributor @ W3C HTML 5 Contributor @ IETF Bidirectional Hypertext

293 views • 27 slides
Matthew Series Lesson #152 January 29, 2017 Dean Bible Ministries www.deanbibleministries.org Dr.

Matthew Series Lesson #152 January 29, 2017 Dean Bible Ministries www.deanbibleministries.org Dr.

Matthew Series Lesson #152 January 29, 2017 Dean Bible Ministries www.deanbibleministries.org Dr. Robert L. Dean, Jr. The Seal Judgments and the Birth Pangs Matthew 24:48 Matt. 24:3, Now as He sat on the Mount of Olives, the disciples came

789 views • 49 slides
Cyborg speech: Deep multilingual speech synthesis for generating segmental foreign accent with

Cyborg speech: Deep multilingual speech synthesis for generating segmental foreign accent with

Cyborg speech: Deep multilingual speech synthesis for generating segmental foreign accent with natural prosody Gustav Eje Henter 1 , Jaime Lorenzo-Trueba 1 , Xin Wang 1 , Mariko Kondo 2 , Junichi Yamagishi 1,3 gustav@nii.ac.jp, jyamagis@nii.ac.jp

1.22k views • 58 slides
Martins Axiom and Choice Principles Eleftherios Tachtsis Department of Mathematics University

Martins Axiom and Choice Principles Eleftherios Tachtsis Department of Mathematics University

Martins Axiom and Choice Principles Eleftherios Tachtsis Department of Mathematics University of the Aegean Karlovassi, Samos, GREECE SWIP Set Theory Workshop in Pisa June 13, 2017 Department of Mathematics E. Tachtsis Martins Axiom

1.02k views • 74 slides
Alternative Data in Finance What is Alternative Data in Finance? Example: Lodging Key Metrics

Alternative Data in Finance What is Alternative Data in Finance? Example: Lodging Key Metrics

Alternative Data in Finance What is Alternative Data in Finance? Example: Lodging Key Metrics Occupancy x Room Rate ~ Revenues Example: Lodging Key Metrics Occupancy x Room Rate ~ Revenues Number of lights on Example: Lodging Key

697 views • 34 slides
Ethnic Fragmentation, Public Good Provision and Inequality in India, 1988 - 2012 Nishant Chadha 1

Ethnic Fragmentation, Public Good Provision and Inequality in India, 1988 - 2012 Nishant Chadha 1

Ethnic Fragmentation, Public Good Provision and Inequality in India, 1988 - 2012 Nishant Chadha 1 Bharti Nandwani 2 1 India Development Foundation 2 Indira Gandhi Institute of Development Research September 15, 2018 1 / 40 Introduction 2 / 40

769 views • 40 slides
Direct influences vs contextuality in human choices Vctor H. Cervantes 1 , Ehtibar N. Dzhafarov 2

Direct influences vs contextuality in human choices Vctor H. Cervantes 1 , Ehtibar N. Dzhafarov 2

Direct influences vs contextuality in human choices Vctor H. Cervantes 1 , Ehtibar N. Dzhafarov 2 Purdue University 1 cervantv@purdue.edu 2 ehtibar@purdue.edu Purdue Winer Memorial Lectures - 2018 Purdue University November 11, 2018

880 views • 39 slides
Quick Check Background 1. How many of you: Prior to 1996 in Canada, proficiency levels varied

Quick Check Background 1. How many of you: Prior to 1996 in Canada, proficiency levels varied

10 Years of the CCLB: Where Weve been and Where Were Going Presenter: Jennifer McKay Project Manager - Assessment Ontario LI NC Assessor Conference Toronto, ON Feb. 2 0 , 2 0 0 9 Quick Check Background 1. How many of you: Prior to 1996

370 views • 13 slides
P1 PARENT-TEACHER MEETING 25 January 2019 6 p.m. 8 p.m. Our Vision Global Learners,

P1 PARENT-TEACHER MEETING 25 January 2019 6 p.m. 8 p.m. Our Vision Global Learners,

P1 PARENT-TEACHER MEETING 25 January 2019 6 p.m. 8 p.m. Our Vision Global Learners, Discerning Citizens Our Mission Nurturing Hearts and Minds Our Core Values Respect Resilience Responsibility Care Humility A Better Balance between

884 views • 56 slides

More recommend