WebSockets

WebSockets are a technology that allows for bi-directional communication between a client and a server over a single, long-lived TCP connection. While WebSockets can be a powerful tool for building real-time applications, there are also several security risks associated with their use. Here are some of the most important security risks to consider:

Cross-site WebSocket hijacking (CSWSH): This is a type of attack where a malicious website can exploit a WebSocket connection established by a user on a legitimate website. The attacker can then use the WebSocket connection to send or receive data to and from the legitimate website, bypassing the same-origin policy. This can result in data theft, session hijacking, and other types of attacks.
Denial-of-service (DoS) attacks: WebSockets are susceptible to DoS attacks, where an attacker floods a server with a high volume of traffic. This can result in the server becoming overwhelmed and unable to handle legitimate requests, causing a denial of service to users.
Man-in-the-middle (MitM) attacks: Since WebSocket connections are unencrypted by default, an attacker can intercept and modify data transmitted over a WebSocket connection. This can result in sensitive data being stolen or manipulated.
Malicious payload injection: If a server doesn't properly validate the data it receives from a WebSocket connection, it can be vulnerable to attacks that involve the injection of malicious payloads. For example, an attacker could inject JavaScript code that executes in the user's browser, potentially leading to further attacks such as cross-site scripting (XSS).
Insecure WebSocket implementations: WebSockets are still a relatively new technology, and some implementations may have security vulnerabilities that could be exploited by attackers. It's important to use a secure and well-tested WebSocket library or framework to minimize the risk of such vulnerabilities being exploited.

Cross-Site WebSocket Hijacking (CWSH)

This attack is essentially Cross-Site Request Forgery targeting a WebSocket connection / handshake.

It arises when the WebSocket handshake request relies solely on HTTP cookies for session handling and does not contain any CSRF tokens or other unpredictable values. An attacker can create a malicious web page on their own domain which establishes a cross-site WebSocket connection to the vulnerable application. The application will handle the connection in the context of the victim user's session with the application.

ws-harness.py

# Start ws-harness to listen on a web-socket, and specify a message template to send to the endpoint.
python ws-harness.py -u "ws://dvws.local:8080/authenticate-user" -m ./message.txt

https://gist.githubusercontent.com/mfowl/ae5bc17f986d4fcc2023738127b06138/raw/e8e82467ade45998d46cef355fd9b57182c3e269/ws.harness.py

PayloadsAllTheThings/Web Sockets at master · swisskyrepo/PayloadsAllTheThingsGitHub

Remediation

To mitigate these risks, it's important to properly secure WebSocket connections by using encryption (such as HTTPS), implementing proper access controls, validating user input, and regularly testing for vulnerabilities. Additionally, implementing rate limiting and other measures to prevent DoS attacks can help protect against denial-of-service attacks.

References

Cross-site WebSocket hijacking (CSWSH)HackTricks

Testing for WebSockets security vulnerabilities | Web Security AcademyWebSecAcademy

A Pentester’s Guide to WebSocket Pentesting | Cobalt

PreviousWAF Bypasses NextWeb Cache Deception

Last updated 1 year ago