Vulnerabilities of the application level - where logic lives
Let’s say theconnection is safe. Now the messaging begins. And here we are waitingfor the whole world.
1. Injections to the applicationprotocol
WS is transport. On top of it almost always worksyour protocol: JSON-RPC, GraphQLover WS, STOMP, custom binaryprotocol.
Practical tool No4:WS-Attacker (and its analogues)
There are specialized tools. Oneof the most famous - WS-Attacker (Of course, a little outdated, butconceptually true). This is a framework for WS safety testing.
We,along our hacker path, can expand our ws-harnessto the simple phaser of the protocol.
2. Insufficientinsulation of rooms/channels (Pub/Sub)
Many WSapplications use the model Pub/Sub(Publishing/Subscription). The user subscribes to the "room"or "channel". Vulnerability occurs if:
Attack: Learning theID of another user (often it is in the URL or public profile), theattacker subscribes to the channel
user-victim_id-privateand receives all his personal notifications, messages, changes inreal time data.
3. Condition and Race Conditions
WSconnection - state. On the server object WebSocketClientFrequently tied to the object User. Whatif two connections from one user? How does the server handlecompeting teams? For example:
It is difficult totest, but it is possible through the creation of a set of connectionswith the same authentication token and sending synchronizedcommands.
4. Intersite interaction via WS (CSRF vsWS-Hijacking)
We've talked about Origin before. But thereis a nuance: even if Origin is checked, the classic CSRF protection(tokens) does not work for WS, because the browser does not allow youto install custom headlines in the WS-help through the JSAPI. The main protection is Origin check and presence ofsession cookies.
However, if the application uses forauthentication in WS not cookies, but a token in the URL option(/ws?token=...), and this token can beobtained legitimately (for example, it is displayed on the page afterthe login), then a classic CSRF arises: an malignant site can insertimgsrc="https://target.com/get_token?for=attacker;, get thetoken, and then open the WS connection with it. Protection: Tokensmust be tied to the session and not issued at third parties withoutthe express consent of the user (OAuth, for example).
Let’s say theconnection is safe. Now the messaging begins. And here we are waitingfor the whole world.
1. Injections to the applicationprotocol
WS is transport. On top of it almost always worksyour protocol: JSON-RPC, GraphQLover WS, STOMP, custom binaryprotocol.
- JSON Injection / Web Socket SQLi. Client sends: {"action": "getMessages", "channel": "general' OR '1'='1"}. If the server incorrectly processes the parameters, skating them in the SQL-request, we receive a classic injection.
- GraphQL over WS. The entire spectrum of GraphQL vulnerabilities (introspection, brut force, Batch attacks) is alive here. Introspection is especially dangerous if it is not disconnected in the production. You can send a request through WS {__schema{...}}and get a full API card.
- Deserialization. If a server receives binary data and desileizes them (e.g., Pickle in Python, Java Serialization), you can try demonyren exploits.
Practical tool No4:WS-Attacker (and its analogues)
There are specialized tools. Oneof the most famous - WS-Attacker (Of course, a little outdated, butconceptually true). This is a framework for WS safety testing.
We,along our hacker path, can expand our ws-harnessto the simple phaser of the protocol.
2. Insufficientinsulation of rooms/channels (Pub/Sub)
Many WSapplications use the model Pub/Sub(Publishing/Subscription). The user subscribes to the "room"or "channel". Vulnerability occurs if:
- The name of the channel is predictable (for example, user-123-private)
- There is no check of the rights to subscribe to this channel.
Attack: Learning theID of another user (often it is in the URL or public profile), theattacker subscribes to the channel
user-victim_id-privateand receives all his personal notifications, messages, changes inreal time data.
3. Condition and Race Conditions
WSconnection - state. On the server object WebSocketClientFrequently tied to the object User. Whatif two connections from one user? How does the server handlecompeting teams? For example:
- Message "transfer money X -> Y".
- Quickly send two such commands in parallel connections. A balance check can occur before debiting in both cases, which will lead to a double write-off or even a negative balance (if the “doesen” check is at the beginning, and the write-off is later).
It is difficult totest, but it is possible through the creation of a set of connectionswith the same authentication token and sending synchronizedcommands.
4. Intersite interaction via WS (CSRF vsWS-Hijacking)
We've talked about Origin before. But thereis a nuance: even if Origin is checked, the classic CSRF protection(tokens) does not work for WS, because the browser does not allow youto install custom headlines in the WS-help through the JSAPI. The main protection is Origin check and presence ofsession cookies.
However, if the application uses forauthentication in WS not cookies, but a token in the URL option(/ws?token=...), and this token can beobtained legitimately (for example, it is displayed on the page afterthe login), then a classic CSRF arises: an malignant site can insertimgsrc="https://target.com/get_token?for=attacker;, get thetoken, and then open the WS connection with it. Protection: Tokensmust be tied to the session and not issued at third parties withoutthe express consent of the user (OAuth, for example).
