WebSocket Security

In the recent past web applications have evolved with a rapid pace. New technologies are catching up fast and adding up to the already extensive possibilities to provide new functionalities. Today technologies like AJAX and HTML5 are extensively used in almost all newly developed web applications.

One such interesting technology is WebSocket. WebSocket is basically a protocol which enables communication over TCP. Unlike HTTP, the communication channel provided by WebSocket is full duplex. The major advantage of this technology is that it allows to create real time and event driven applications by maintaining persistent connection. Using WebSockets we can build functionalities such as chatting, market statistics, news feed, real time gaming etc.

With every new technology comes complexity and security issues. WebSocket is no exception. WebSocket is also affected by certain vulnerabilities related to web applications, which if not taken care of could be used by attackers for malicious intents.

Sample request and response for establishing a WebSocket connection through Burp Repeater:

websocket request response

Once this handshake is complete the WebSocket connection is established and the data transmission can begin.

Certain points that need to be accounted for when dealing with applications utilizing WebSockets:

  • As web applications utilize HTTP and HTTPS for normal and encrypted connection respectively, similarly WebSockets also uses ws and wss. It is advised to consider using the encrypted version (wss). Example for both are shown below.
  • WebSocket: ws://echo.websocket.org
  • Secure WebSocket (TLS): wss://echo.websocket.org
  • WebSockets implement origin header in handshake requests to identify the original application sending the request. In case if the server fails to validate this then could allow an attacker to exploit this to perform attacks such as Cross Site Request Forgery (CSRF) and Cross-Site WebSocket Hijacking.

*WebSockets are not restricted by SOP (Same Origin Policy)

request final

  • User supplied data is never to be trusted and need to be sanitized to prevent injection and scripting based vulnerabilities. Measures need to be taken to validate the data and implement proper output encoding where required.
  • WebSockets have no mechanism to ensure authentication and authorization and hence secure methods to ensure them needs to be implementation in the application.

Every tradecraft require a special set of tools. For the purpose of analysing and testing the security of WebSockets also we need certain special tools. Here is a list of some which can assist in this process.

Chrome Developer Tools

Chrome browser comes inbuilt with Developer Tools and can be accessed using function key F12 or by right clicking in the browser window and selecting ‘Inspect element’. In the developer tools we can check the WebSocket request and response under the Network tab. This allows us to simply analyse the structure of the request being sent and how the application is responding to certain requests.

chrome developer tool

Simple WebSocket Client (Chrome Extension)

Chrome extensions allow us to increase the functionality of the browser and perform various associated tasks. One such extension is Simple WebSocket Client. It is a simple client utilizing which we can send custom requests to WebSockets and receive the response. It can be very helpful for fuzzing the WebSocket to test for various vulnerabilities. The addon can be added to the browser from the address

chrome addon websocket

ZAP 

Zed Attack Proxy or ZAP is a popular web application pentesting tool. ZAP basically acts as an application layer proxy and is very helpful in conducting manual testing although it also contains automated scanner. Apart from its already extensive list of features and functionalities it also logs WebSocket request and response. Using this we can further perform many tests by replaying the requests with different values and analyse the response to identify vulnerabilities.

ZAP

Ironwasp

Ironwasp by Lavakumar is another great web application pentesting tools and like ZAP it also provides application proxy to intercept and perform manual testing. It has certain other features which are not provided by other similar tools, such as SSRF exploitation, SAP scanner and Scripting within the interface. Under the tools tab we can get two features ‘WebSocket Message Extractor’ and ‘WebSocket Client’ which are very helpful when conducting security assessment of web applications utilizing WebSockets.

ironwasp

Developers as well as testers need to take special care when dealing with new technologies as the security issues related to them are not well known, as compared to the established ones. Similarly it also brings them in the scope of the hackers who are curious to play with new technologies. Before deploying such technologies in the production environment thorough security assessments should be performed to establish the security of the whole application.