what s wrong with websocket apis
play

Whats wrong with WebSocket APIs? Unveiling vulnerabilities in - PowerPoint PPT Presentation

Jul 10, 2023 •313 likes •989 views

Whats wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs Mikhail Egorov / @0ang3el #DeepSec2019 # whoami Security researcher / full-time bug hunter https://bugcrowd.com/0ang3el https://hackerone.com/0ang3el

  1. What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs Mikhail Egorov / @0ang3el #DeepSec2019

  2. # whoami ▪ Security researcher / full-time bug hunter ▪ https://bugcrowd.com/0ang3el ▪ https://hackerone.com/0ang3el ▪ Conference speaker ▪ https://www.slideshare.net/0ang3el ▪ https://speakerdeck.com/0ang3el 2

  3. Previous work ▪ https://media.blackhat.com/bh-us- 12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides .pdf ▪ https://www.nccgroup.trust/us/about-us/newsroom-and- events/blog/2017/may/wssip-a-websocket-manipulation-proxy/ ▪ https://chybeta.github.io/2018/04/07/spring-messaging-Remote-Code-Execution- %E5%88%86%E6%9E%90-%E3%80%90CVE-2018-1270%E3%80%91/ ▪ https://www.twistlock.com/labs-blog/demystifying-kubernetes-cve-2018-1002105- dead-simple-exploit/ ▪ https://github.com/andresriancho/websocket-fuzzer ▪ https://www.irongeek.com/i.php?page=videos/derbycon9/stable-35-old-tools-new- tricks-hacking-websockets-michael-fowl-nick-defoe 3

  4. WebSocket protocol essentials 4

  5. WebSocket protocol – RFC 6455 ▪ Efficient two-way communication protocol ▪ WebSocket is stateful (HTTP is stateless) ▪ Two main parts: handshake and data transfer 5

  6. WebSocket protocol – RFC 6455 ▪ Extensibility: subprotocols and extensions ▪ Subprotocols ▪ https://www.iana.org/assignments/websocket/websocket.xml#subpro tocol-name ▪ Wamp ▪ Stomp ▪ Soap ▪ … 6

  7. WebSocket protocol – RFC 6455 ▪ Extensibility: subprotocols and extensions ▪ Extensions ▪ https://www.iana.org/assignments/websocket/websocket.xml#extens ion-name ▪ permessage-deflate ▪ bbf-usp-protocol 7

  8. WebSocket protocol – RFC 6455 ▪ Origin-based security model (Browser clients) ▪ No authentication ▪ Client must do client-to-server masking 8

  9. WebSocket protocol support ▪ Major web browsers ▪ Web servers / Proxies ▪ Apache httpd, Nginx, IIS, … ▪ HAProxy, Traefik, Varnish, Envoy, … ▪ Cloud providers ▪ WebSocket API (api gateways) ▪ WebSocket proxying (load balancers) 9

  10. WebSocket handshake over HTTP/1.1 Required HTTP version Protocol version Base64(Random nonce) Upgrade request 10

  11. WebSocket handshake over HTTP/1.1 Required status code BASE64(SHA1(Sec-WebSocket-Key || CONST )) 11

  12. WebSocket data transfer \x00 – continuation frame \x01 – text frame \x02 – binary frame \x08 – close frame \x09 – ping \x0A – pong other values are reserved 12

  13. WebSocket data transfer - masking ▪ Masking key is 32-bit long passed inside frame ▪ Client must send masked data ▪ MASKED = MASK ^ DATA (^ - XOR) ▪ Mechanism protects against cache poisoning and smuggling attacks 13

  14. WebSocket protocol and HTTP/2 ▪ RFC 8441 ▪ Bootstrapping WebSocket with HTTP/2 ▪ Not yet widely supported by proxies / web servers ▪ nghttp2 - https://github.com/nghttp2/nghttp2 14

  15. WebSocket handshake over HTTP/2 SETTINGS_ENABLE_CONNECT_PROTOCOL 15

  16. WebSocket handshake over HTTP/2 HTTP method Protocol name WebSocket version 16

  17. WebSocket handshake over HTTP/2 Required status code 17

  18. Cross-Site WebSocket Hijacking 18

  19. WebSocket security for Web Browser ▪ SOP doesn’t work for WebSocket in web browser ▪ Read from WebSocket cross-origin ▪ Write to WebSocket cross-origin ▪ Header Origin should be checked on handshake step (origin-based security model) 19

  20. CSWSH ▪ Cookies are used to authenticate upgrade request ▪ Header Origin isn’t checked or checked poorly 20

  21. CSWSH ▪ CORS tricks from @albinowax are applicable to WebSocket ▪ https://portswigger.net/research/exploiting-cors-misconfigurations- for-bitcoins-and-bounties ▪ Null origin ▪ Pre-domain wildcard ▪ Post-domain wildcard ▪ … 21

  22. CSWSH – Null origin ▪ nullorigin.html <iframe src="data:text/html, <script>const socket = new WebSocket('wss://example.com'); </script>"></iframe> 22

  23. CSWSH ▪ Playground ▪ https://portswigger.net/web-security/websockets/cross-site- websocket-hijacking 23

  24. CSWSH – template for attack 5

  25. Demo 5

  26. Authentication / IDOR issues 26

  27. Authentication ▪ WebSocket protocol doesn’t offer authentication ▪ Developers have to roll out their own AuthN ▪ It’s secure to check AuthN only during handshake ▪ Common secure implementations ▪ Session cookies ▪ Tokens 27

  28. Broken authentication – Case 1 ▪ Some ID / GUID is required in Upgrade request ▪ Guess ID ▪ Leak GUID (minor IDOR, … ) 28

  29. Broken authentication – Case 2 ▪ No authentication during handshake step ▪ Some ID / GUID required in API messages ▪ Guess ID ▪ Leak GUID (minor IDOR, … ) 29

  30. Broken authentication – Case 2 ▪ Exposing GraphQL subscriptions w/o AuthN ▪ https://github.com/righettod/poc-graphql#subscriptions- websocket-endpoint-default-enabling ▪ Path /subscriptions 30

  31. Insecure Direct Object Reference issues ▪ Strong authentication during handshake step ▪ Some ID / GUID required in API messages ▪ Guess ID ▪ Leak GUID (minor IDOR, … ) 31

  32. Smuggling through WebSocket 32

  33. Reverse proxying WebSocket connection Client Backend /socket.io/ Frontend Public WebSocket API Reverse proxy 33

  34. Reverse proxying WebSocket connection Upgrade request Upgrade request Client Backend /socket.io/ Frontend Reverse proxy 34

  35. Reverse proxying WebSocket connection Upgrade request Upgrade request Client Backend HTTP/1.1 101 HTTP/1.1 101 /socket.io/ Frontend Reverse proxy 35

  36. Reverse proxying WebSocket connection Upgrade request Upgrade request Client Backend HTTP/1.1 101 HTTP/1.1 101 /socket.io/ WebSocket connection Frontend direct WebSocket connection Reverse proxy Client - Backend 36

  37. Smuggling through WebSocket connection Private REST API /internal Client Backend /socket.io/ Frontend Public WebSocket API Reverse proxy (vulnerable) 37

  38. Smuggling through WebSocket connection Version correctness isn’t checked! Upgrade request Upgrade request Sec-WebSocket-Version: 1337 Sec-WebSocket-Version: 1337 /internal Client Backend /socket.io/ Frontend Reverse proxy (vulnerable) 38

  39. Smuggling through WebSocket connection Response correctness isn’t checked! Upgrade request Upgrade request Sec-WebSocket-Version: 1337 Sec-WebSocket-Version: 1337 /internal Client Backend HTTP/1.1 426 HTTP/1.1 426 /socket.io/ Frontend Reverse proxy (vulnerable) 39

  40. Smuggling through WebSocket connection Upgrade request Upgrade request Sec-WebSocket-Version: 1337 Sec-WebSocket-Version: 1337 /internal Client Backend HTTP/1.1 426 HTTP/1.1 426 /socket.io/ TLS connection Frontend direct TLS connection Reverse proxy Client – Backend Client can access (vulnerable) not WebSocket!!! /internal 40

  41. Challenge – challenge.0ang3el.tk ▪ URL ▪ https://challenge.0ang3el.tk/websocket.html ▪ You need to access flag on localhost:5000 ▪ Seems no one solved 41

  42. Challenge – challenge.0ang3el.tk ▪ Frontend ▪ Not disclosed WebSocket reverse proxy ▪ socket.io.js ▪ Proxies only WebSocket API - /socket.io/ path ▪ Backend ▪ Flask, Flask-SoketIO, Flask-Restful ▪ Listens on localhost:5000 only 42

  43. challenge1.py

  44. challenge1.py - DEMO

  45. Vulnerable reverse proxies ▪ Vulnerable ▪ Varnish, Envoy proxy <= 1.8.0, other non-disclosed ▪ Not vulnerable ▪ Nginx, HAProxy, Traefik, others 45

  46. Varnish response ▪ WebSocket proxying configuration ▪ https://varnish-cache.org/docs/6.3/users-guide/vcl-example- websockets.html 46

  47. Smuggling through WebSocket connection Private REST API /internal Backend Client /api/socket.io/ /api/health Frontend Public WebSocket API & REST API Reverse proxy (Nginx or another) 47

  48. Smuggling through WebSocket connection /internal Backend Client /api/socket.io/ /api/health GET Frontend HTTP/1.1 200 Reverse proxy (Nginx or another) example.com 48

  49. Smuggling through WebSocket connection Only Upgrade: websocket header is checked! POST /api/health?u= POST /api/health?u= /internal Backend Client /api/socket.io/ /api/health Frontend Reverse proxy (Nginx or another) 49

  50. Smuggling through WebSocket connection Only status code is checked for response! POST /api/health?u= POST /api/health?u= /internal Backend Client HTTP/1.1 101 HTTP/1.1 101 /api/socket.io/ /api/health GET Frontend HTTP/1.1 101 Reverse proxy (Nginx or another) attacker.com 50

  51. Smuggling through WebSocket connection POST /api/health?u= POST /api/health?u= /internal Backend Client HTTP/1.1 101 HTTP/1.1 101 /api/socket.io/ /api/health TLS connection Frontend direct TLS connection Reverse proxy Client – Backend Client-to-Server Client can access (Nginx or another) not WebSocket!!! masking isn’t checked /internal by proxy!!! 51

  52. Challenge2 – challenge2.0ang3el.tk ▪ URL ▪ https://challenge2.0ang3el.tk/websocket.html ▪ You need to access flag on localhost:5000 ▪ Seems no one solved 52

  53. Challenge2 – challenge2.0ang3el.tk ▪ Frontend ▪ Nginx as WebSocket reverse proxy ▪ socket.io.js ▪ Proxies only /api/public path ( socket.io and healthcheck ) ▪ Backend ▪ Flask, Flask-SoketIO, Flask-Restful ▪ Listens on localhost:5000 only 53

Recommend

Kaazing Gateway: An Open Source HTML 5 Websocket Server HTML 5 Websocket Server Speaker

Kaazing Gateway: An Open Source HTML 5 Websocket Server HTML 5 Websocket Server Speaker

Kaazing Gateway: An Open Source HTML 5 Websocket Server HTML 5 Websocket Server Speaker Jonas Jacobi Co-Founder: Kaazing Co-Author: Pro JSF and Ajax, Apress Agenda Real-Time Web? Why Do I Care? Scalability and

751 views • 38 slides
Web Sockets WebSockets Last time we say how to establish a WebSocket connection Today,

Web Sockets WebSockets Last time we say how to establish a WebSocket connection Today,

Web Sockets WebSockets Last time we say how to establish a WebSocket connection Today, we'll parse and send messages over the socket WebSocket Frame https://tools.ietf.org/html/rfc6455#section-5.2 Protocols Sidenote Many of the

469 views • 27 slides
WebSocket Slide title APITALS 50 pt e subtitle 32 pt Salvatore.Loreto@ericsson.com November

WebSocket Slide title APITALS 50 pt e subtitle 32 pt Salvatore.Loreto@ericsson.com November

WebSocket Slide title APITALS 50 pt e subtitle 32 pt Salvatore.Loreto@ericsson.com November 3rd, 2009 WebSocket Defines full-duplex communications using a single TCP connection (compared to Comet technologies) It is a mechanism for

571 views • 13 slides
Web Technologies in Java EE JAX-RS 2.0, JSON-P, WebSocket, JSF 2.2 $ whoami Luk Fry

Web Technologies in Java EE JAX-RS 2.0, JSON-P, WebSocket, JSF 2.2 $ whoami Luk Fry

Web Technologies in Java EE JAX-RS 2.0, JSON-P, WebSocket, JSF 2.2 $ whoami Luk Fry Software Engineer, JBoss, Red Hat AeroGear, (Arquillian, RichFaces) Interests HTML5, Web Components, AngularJS Living and

1.17k views • 83 slides
WebSocket Server Implementation Chao-Wei Peng HTTP Request Model Service Http Client Http

WebSocket Server Implementation Chao-Wei Peng HTTP Request Model Service Http Client Http

WebSocket Server Implementation Chao-Wei Peng HTTP Request Model Service Http Client Http Server Thread Waiting Http Request Run Service Http Response HTTP Weakness Server sends response only if someone requests it. WebSocket Protocol

274 views • 11 slides
Semi-Automa+cally Modeling Web APIs to Create Linked APIs

Semi-Automa+cally Modeling Web APIs to Create Linked APIs

Semi-Automa+cally Modeling Web APIs to Create Linked APIs Mohsen Taheriyan, Craig A. Knoblock, Pedro Szekely, and Jose Luis Ambite USC Information

321 views • 28 slides
AM-2 NIE API Gateway in NIE Who uses the APIs now and how is the adoption rate? The APIs are used

AM-2 NIE API Gateway in NIE Who uses the APIs now and how is the adoption rate? The APIs are used

AM-2 NIE API Gateway in NIE Who uses the APIs now and how is the adoption rate? The APIs are used by our faculty, our corporate mobile app users, corporate systems and students, the adoption rate is growing healthy at a steady rate. We are moving

452 views • 17 slides
APIs: Overdue or Overhyped? The Promise of APIs to Drive Interoperability Todays Speakers 2

APIs: Overdue or Overhyped? The Promise of APIs to Drive Interoperability Todays Speakers 2

1 APIs: Overdue or Overhyped? The Promise of APIs to Drive Interoperability Todays Speakers 2 Micky Tripathi Ryan Howells Kristen Valdes President &amp; CEO Principal Founder &amp; CEO Massachusetts eHealth Collaborative Leavitt

276 views • 8 slides
The WebSocket Protocol IETF 80 HyBi WG Takeshi Yoshino tyoshino at google dot com Background

The WebSocket Protocol IETF 80 HyBi WG Takeshi Yoshino tyoshino at google dot com Background

The WebSocket Protocol IETF 80 HyBi WG Takeshi Yoshino tyoshino at google dot com Background Evolution of web apps Dynamic and real-time application Webmail, Chat, word processing, etc. HTTP is not designed for web apps Large

450 views • 40 slides
The current state of banking APIs Open APIs are high priority for financial institutions What are

The current state of banking APIs Open APIs are high priority for financial institutions What are

The current state of banking APIs Open APIs are high priority for financial institutions What are banks doing about it? How important are Open APIs to banks? 2 http://www.briansolis.com/2016/12/top-10-retail-banking-trends-predictions-2017/

449 views • 20 slides
Defences Structure of the Courts What is a Crime? a public wrong Wrong committed

Defences Structure of the Courts What is a Crime? a public wrong Wrong committed

Defences Structure of the Courts What is a Crime? a public wrong Wrong committed against the common good or public interest causes harm to society, not just the individual 3 features that make something a public wrong:

474 views • 25 slides
The realtime web: HTTP/1.1 to WebSocket, SPDY and beyond Guillermo Rauch @ QCon . November 2012.

The realtime web: HTTP/1.1 to WebSocket, SPDY and beyond Guillermo Rauch @ QCon . November 2012.

The realtime web: HTTP/1.1 to WebSocket, SPDY and beyond Guillermo Rauch @ QCon . November 2012. Guillermo . CTO and co-founder at LearnBoost . Creator of socket.io and engine.io . @ rauchg on twitter http:// devthought.com Author of Wileys

1.41k views • 105 slides
STOR 390: APIs Marshall Markham Overview Intro to APIs Concept Steps to URI API Usage

STOR 390: APIs Marshall Markham Overview Intro to APIs Concept Steps to URI API Usage

STOR 390: APIs Marshall Markham Overview Intro to APIs Concept Steps to URI API Usage Google Maps Exercise What is an API API stands for Application Programming Interface Any body of code meant to be used by outside

476 views • 15 slides
www.pdl.cmu.edu/posix/ December 14, 2005 APIs for HPC IO POSIX IO APIs (open, close, read,

www.pdl.cmu.edu/posix/ December 14, 2005 APIs for HPC IO POSIX IO APIs (open, close, read,

POSIX I/O High Performance Computing Extensions Brent Welch (Speaker) Panasas www.pdl.cmu.edu/posix/ December 14, 2005 APIs for HPC IO POSIX IO APIs (open, close, read, write, stat) have semantics that can make it hard to achieve high

674 views • 24 slides
Part 3 Terroir is fragile Can be lost through: High yields Wrong grape varieties in wrong place

Part 3 Terroir is fragile Can be lost through: High yields Wrong grape varieties in wrong place

Part 3 Terroir is fragile Can be lost through: High yields Wrong grape varieties in wrong place Picking too late (a common problem) Poor work in the winery (e.g. too much oak, wrong sort of oak, Brettanomyces, oxidation) The Natural Wine

469 views • 20 slides
HTML 5 WebSocket delivers the Real-time Web QCon, San Francisco November 18, 2009 1

HTML 5 WebSocket delivers the Real-time Web QCon, San Francisco November 18, 2009 1

HTML 5 WebSocket delivers the Real-time Web QCon, San Francisco November 18, 2009 1 Introduction John Fallows CTO @ Kaazing Author @ Pro JSF &amp; Ajax Contributor @ W3C HTML 5 Contributor @ IETF Bidirectional Hypertext

293 views • 27 slides
Web APIs Web APIs Programming for Statistical Programming for Statistical Science Science

Web APIs Web APIs Programming for Statistical Programming for Statistical Science Science

Web APIs Web APIs Programming for Statistical Programming for Statistical Science Science Shawn Santo Shawn Santo 1 / 24 1 / 24 Supplementary materials Full video lecture available in Zoom Cloud Recordings Additional resources HTTP

609 views • 24 slides
V2 28 May 2015 What Is Wrong With Stat 101? 1 2 V2 2015 USCOTS Whats Wrong with Stat 101?

V2 28 May 2015 What Is Wrong With Stat 101? 1 2 V2 2015 USCOTS Whats Wrong with Stat 101?

V2 28 May 2015 What Is Wrong With Stat 101? 1 2 V2 2015 USCOTS Whats Wrong with Stat 101? Cobb 1: Whats wrong with Stat 101? Comments on Cobb and De Veaux Proposals Context : Peripheral in math; central in statistics. Milo

808 views • 17 slides
Webbit Evented, single-threaded WebSocket server http://webbitserver.org/ @aslak_hellesoy

Webbit Evented, single-threaded WebSocket server http://webbitserver.org/ @aslak_hellesoy

Webbit Evented, single-threaded WebSocket server http://webbitserver.org/ @aslak_hellesoy Webbit Overview Single threaded Non-blocking High throughput 1000+ connections No Servlet API No XML 1 Dependency: Netty

827 views • 23 slides
Why I Was Wrong About TypeScript TJ VanToll TypeScript TypeScript TypeScript Why I Was Wrong

Why I Was Wrong About TypeScript TJ VanToll TypeScript TypeScript TypeScript Why I Was Wrong

Why I Was Wrong About TypeScript TJ VanToll TypeScript TypeScript TypeScript Why I Was Wrong About TypeScript Whether TypeScript is a good fit for your next project Why I Was Wrong About TypeScript A typed superset of JavaScript

941 views • 58 slides
Why I Was Wrong About TypeScript TJ VanToll TypeScript TypeScript TypeScript Why I Was Wrong

Why I Was Wrong About TypeScript TJ VanToll TypeScript TypeScript TypeScript Why I Was Wrong

Why I Was Wrong About TypeScript TJ VanToll TypeScript TypeScript TypeScript Why I Was Wrong About TypeScript Whether TypeScript is a good fit for your next project Why I Was Wrong About TypeScript A typed superset of JavaScript

1.04k views • 61 slides
API SHAPAVAL RAMAN 03.05.2017 What is the difference between traditional graphics APIs and new

API SHAPAVAL RAMAN 03.05.2017 What is the difference between traditional graphics APIs and new

API SHAPAVAL RAMAN 03.05.2017 What is the difference between traditional graphics APIs and new low-level APIs? High-level APIs like OpenGL are quite easy to use, because the developer declares what they want to do and how they want to do

634 views • 36 slides
Pub/sub server for the modern web. Flexible, scalable, easy to use. https://nchan.slact.net What

Pub/sub server for the modern web. Flexible, scalable, easy to use. https://nchan.slact.net What

Pub/sub server for the modern web. Flexible, scalable, easy to use. https://nchan.slact.net What is it? HTTP POST Application Websocket Websocket client EventSource client Long-Poll client Buffering Pub/Sub server for web clients

708 views • 49 slides
Network impact of Web access to device APIs W3C Workshop on Security for Access to Device APIs

Network impact of Web access to device APIs W3C Workshop on Security for Access to Device APIs

Network impact of Web access to device APIs W3C Workshop on Security for Access to Device APIs from the Web December 10-11, 2008 Mat Ford http://www.isoc.org Background ISOC is focused on continued operation of the global Internet

512 views • 12 slides

More recommend