Today on the table is WebSocket.Not the picture that is drawn on the hackathons, but its throbbinginside out: the configurations that are cut into the living, andquiet, almost invisible exploitation.
WS Underworld: When a LiveChannel Becomes Your Back Door
Whydo we need this?
Everyone has heard about WebSocket(hereinafter WS). "Biorrowed", "living","real-time". With these phrases, managers and juniorarchitects rush to the left and to the right. The web turns from apile of queries-responses into something alive. Shoppers, tradingpanels, online games, collaborative editors - beauty.
Butthe hacker’s view sees otherwise. He sees not a channel for thefeatures, but New Surface of the Attack. Huge, often forgotten,poorly protected. Why? Because WS breaks the old, familiar HTTPmodel. The entire WAF’s (Web Application Firewall), which haslearned to catch SQLi, XSS, and so on in the GET/POST parameters,often blinds, looking at the flow of binary or text data pouring onthe same compound. Because the developers, introducing ws://or w://,consider the work done. Because in the documentation for theframeworks, the section “security” about WS is often placedsomewhere between “gratitudes” and “license”.
Let'sdig.
The basis. Not TCP orHTTP - but your own swamp
Beforebreaking, you need to understand how it works. Not at the level of“handshake and then data”, but deeper.
1. Handshake- entry point
Classics. Client sends HTTP Upgrade request.
Theserver answers:
Here,in this almost HTTP exchange, already lies First layer ofvulnerabilities. Everything that relates to poor HTTP headerprocessing is applicable here. But there is also specificity.
Practicaltool No1: ws-harness (our self-sample)
We will not rely onabstract curl queries. Let's sketch the simplest, but flexible toolfor short-shoot testing. Python with library websockets- it's our choice.
Start
ythonws_harness.py ws://vulnerable-chat.local:8080/ws --originhttрs://evil.com/
Seeoes the server accept a connection with the left Origin? If yes, thefirst flag in our piggy bank. This is a potential vulnerability toWebSocket Origin Hijacking (This is below).
2. After thehandshake: frames, not streams
It is important to moveaway from HTTP thinking. The data goes with frames. The frame has atype: text (0x1),binary (0x2),closure (0x8),ping (0x9),pong (0xA)etc. The server must be able to parse them. Parsers are complexthings. What is difficult can be broken.
Vulnerabilityarsing frames and DoS. Imagine a frame with the declared length 2^63- 1 byte (maximum value for 64-bit). A naive parser can reserve amemory and fall under it. Or a frame with a mask (client framesshould be masked), where the mask is garbage, and the parser goesinto an endless cycle. It’s low level, but it’s real. More commonin custom, self-written servers in C++ or Rust.
Practicaltool No2: ws_fuzzer
We take a library that allows you to collectraw frames. For example, wsprotoor python-socket.Our goal is not just to send data, but to send Incorrect frame.
Importantwarning: This Testing Tool is intended for use on your own servers inan isolated environment. Sending such frames to someone else’sinfrastructure without explicit permission is a crime. We are talkingabout research, not vandalism.
3.Subprotocols
TheSec-WebSocket-Protocol field in the handshake. Designed to agree onthe data format (e.g., SOAP, WAMP, GraphQL-WS). The server mustselect one of the proposed options or refuse. Typical Error: Theserver accepts the first subprotocol from the client’s list withoutchecking or, worse, executes logic based on the subprotocol.
Attack:The client sends a list: Sec-WebSocket-Protocol:secret-admin-protocol, chat. If the server is naive and simplyaccepts the first one it recognizes, it will choose “chat.” Butif there is a conditional branch in its code:
JavaScript:
if(chosenProtocol === ‘secret-admin-protocol’) {
enableAdminMode(ws);
}
Andthe server checks the subprotocol After handshakes, and a curvecheck... You can try to implement something. Or just to cause amistake leading to the disclosure.
Test our ws-harnessythonws_harness.py wss://target/ws --subproto "..\..\bin\bash""chat"
WS Underworld: When a LiveChannel Becomes Your Back Door
Whydo we need this?
Everyone has heard about WebSocket(hereinafter WS). "Biorrowed", "living","real-time". With these phrases, managers and juniorarchitects rush to the left and to the right. The web turns from apile of queries-responses into something alive. Shoppers, tradingpanels, online games, collaborative editors - beauty.
Butthe hacker’s view sees otherwise. He sees not a channel for thefeatures, but New Surface of the Attack. Huge, often forgotten,poorly protected. Why? Because WS breaks the old, familiar HTTPmodel. The entire WAF’s (Web Application Firewall), which haslearned to catch SQLi, XSS, and so on in the GET/POST parameters,often blinds, looking at the flow of binary or text data pouring onthe same compound. Because the developers, introducing ws://or w://,consider the work done. Because in the documentation for theframeworks, the section “security” about WS is often placedsomewhere between “gratitudes” and “license”.
Let'sdig.
The basis. Not TCP orHTTP - but your own swamp
Beforebreaking, you need to understand how it works. Not at the level of“handshake and then data”, but deeper.
1. Handshake- entry point
Classics. Client sends HTTP Upgrade request.
Theserver answers:
Here,in this almost HTTP exchange, already lies First layer ofvulnerabilities. Everything that relates to poor HTTP headerprocessing is applicable here. But there is also specificity.
- Sec-WebSocket-Key and Sec-WebSocket-Accept: Proxy Cashing Mechanism. Not authentication. Never before. A lot of people think it's like a token. No. It's a deterministic transform. You can check its correctness, but this is protection not from an intruder, but from ancient proxies.
- Origin: Here it is the key title. The basis of the Same-Origin policy for WS. But it may not be. In the native JS browser, it is added automatically. What if the client is not a browser? Kastomic client in Python, C, Go? He can send any Origin, or he may not send it at all. It all depends on the server.
Practicaltool No1: ws-harness (our self-sample)
We will not rely onabstract curl queries. Let's sketch the simplest, but flexible toolfor short-shoot testing. Python with library websockets- it's our choice.
Start
ythonws_harness.py ws://vulnerable-chat.local:8080/ws --originhttрs://evil.com/See
oes the server accept a connection with the left Origin? If yes, thefirst flag in our piggy bank. This is a potential vulnerability toWebSocket Origin Hijacking (This is below).2. After thehandshake: frames, not streams
It is important to moveaway from HTTP thinking. The data goes with frames. The frame has atype: text (0x1),binary (0x2),closure (0x8),ping (0x9),pong (0xA)etc. The server must be able to parse them. Parsers are complexthings. What is difficult can be broken.
Vulnerability
arsing frames and DoS. Imagine a frame with the declared length 2^63- 1 byte (maximum value for 64-bit). A naive parser can reserve amemory and fall under it. Or a frame with a mask (client framesshould be masked), where the mask is garbage, and the parser goesinto an endless cycle. It’s low level, but it’s real. More commonin custom, self-written servers in C++ or Rust.Practicaltool No2: ws_fuzzer
We take a library that allows you to collectraw frames. For example, wsprotoor python-socket.Our goal is not just to send data, but to send Incorrect frame.
Importantwarning: This Testing Tool is intended for use on your own servers inan isolated environment. Sending such frames to someone else’sinfrastructure without explicit permission is a crime. We are talkingabout research, not vandalism.
3.Subprotocols
TheSec-WebSocket-Protocol field in the handshake. Designed to agree onthe data format (e.g., SOAP, WAMP, GraphQL-WS). The server mustselect one of the proposed options or refuse. Typical Error: Theserver accepts the first subprotocol from the client’s list withoutchecking or, worse, executes logic based on the subprotocol.
Attack:The client sends a list: Sec-WebSocket-Protocol:secret-admin-protocol, chat. If the server is naive and simplyaccepts the first one it recognizes, it will choose “chat.” Butif there is a conditional branch in its code:
JavaScript:
if(chosenProtocol === ‘secret-admin-protocol’) {
enableAdminMode(ws);
}
Andthe server checks the subprotocol After handshakes, and a curvecheck... You can try to implement something. Or just to cause amistake leading to the disclosure.
Test our ws-harness
ythonws_harness.py wss://target/ws --subproto "..\..\bin\bash""chat"
