Spider Tools - What to Use in Intelligence and Attack
Let's get it alltogether. What does the WS testing process look like fromscratch?
1. Intelligence (Recon)
2. Fazing andVulnerability Testing
3. Exploitation
Let's get it alltogether. What does the WS testing process look like fromscratch?
1. Intelligence (Recon)
- Search for endpoints: Parsim JS-files application (app.js, main.chunk.js) for the new WebSocket(ws://, wss://, /socket.io, /ws. Tools: grep, Burp Suite, custom scripts.
- Traffic analysis: Open the application in the browser with DevTools. See the tab Network -> WS. We study:
- The price list URL.
- Headings of handshake (especially Origin, Sec-WebSocket-Protocol)
- Message format (JSON, binary, text).
- Sequence of messages (authentication, subscription, etc.).
- The price list URL.
- Server Information Collection: Server Responses may contain headers that disclose technology (Server: Node.js,
X-Powered-By: Socket.io) Sometimes in errors (with an incorrect handshake), you can see intersections.
2. Fazing andVulnerability Testing
- Handshake: We use our ws-harnessfor verification of Origin, Subprotocolos, custom headlines.
- Protocol: Use the extended phaser for injection, message change. Intercept traffic through mitmproxy and modify it.
- Authorization: Let's try to connect without a token, with someone else's token (if we can get it or predict it).
- Isolation: We try to subscribe to other people's channels, send a message on someone else's behalf.
- Load test (cautiously!): Check how the server responds to thousands of connections, to huge frames, to frequent ping/pong. Tools: autobahn-testsuite(Useful and Negative Testing) websocket-bench.
3. Exploitation
- For Origin Hijacking: We write an exploit, place on our server, lure the victim.
- For injection: We use compromised access for data theft, escalation of privileges (substitution "user_id" in messages).
- For Deseresilization: We are preparing a shell code for a specific technology and send it to a binary message.
