+ All Categories
Home > Documents > Hacking (with) WebSockets

Hacking (with) WebSockets

Date post: 17-May-2015
Category:
Upload: sergey-shekyan
View: 6,105 times
Download: 0 times
Share this document with a friend
Description:
Slides we presented at BayThreat 2012
Popular Tags:
43
Hacking with WebSockets Mike Shema Sergey Shekyan Vaagn Toukharian (got sick last night) December 2012 1 Thursday, December 13, 12
Transcript
Page 1: Hacking (with) WebSockets

Hacking with WebSockets

Mike Shema

Sergey Shekyan

Vaagn Toukharian (got sick last night)

December 20121Thursday, December 13, 12

Page 2: Hacking (with) WebSockets

A Trip into HTML5

WebSockets background

Their appeal to developers

Their appeal to attackers

What makes them better

2Thursday, December 13, 12

Page 3: Hacking (with) WebSockets

HTML4‘s Crude Solutions

Forcing persistence on a non-persistent protocol

...often at the server’s expense of one thread/request

...while dealing with the browser’s per-domain connection limit

...and trying to figure out an efficient polling frequency

...just to know when the server has some data ready.

3Thursday, December 13, 12

Page 4: Hacking (with) WebSockets

Almost WebSocketsForcing HTML5 on a non-HTML5 browser

web-socket-js -- The power of Flash’s raw sockets with the benefits(?) of Flash’s security

sockjs-client -- Pure JavaScript, choose your poison: long-polling, XHR, etc.

HTML5 Server-Sent Events (http://www.w3.org/TR/eventsource/)

Properly-implemented long-polling

Content only flows from server → client

4Thursday, December 13, 12

Page 5: Hacking (with) WebSockets

One Socket, Two Directions

The WebSocket Protocol enables two-way communication between a client running untrusted code in a controlled environment to a remote host that has opted-in to communications from that code.

Uh oh

Yay!

Hmm...

- RFC 64555Thursday, December 13, 12

Page 6: Hacking (with) WebSockets

Speak to MeProtocol(RFC 6455)

Low overhead

Simple format

Content agnostic

HTTP compatible*

JavaScript API.onmessage()

.send()

Data as String, Blob, ArrayBuffer

6Thursday, December 13, 12

Page 7: Hacking (with) WebSockets

Handshake ChallengeGET /?encoding=text HTTP/1.1Host: echo.websocket.orgUser-Agent: ...Connection: UpgradeSec-WebSocket-Version: 13Origin: http://www.websocket.orgSec-WebSocket-Key: CjYoQD+BXC718rj3aiExxw==

base64(16 random bytes)

7Thursday, December 13, 12

Page 8: Hacking (with) WebSockets

Handshake ResponseHTTP/1.1 101 Switching ProtocolsUpgrade: WebSocketConnection: UpgradeSec-WebSocket-Accept: c4RVZSknSoEHizZu6BKl3v+xUuI=

[ then the data frames begin ]

base64(SHA1(challenge + GUID)

Proxy might remove this!

8Thursday, December 13, 12

Page 9: Hacking (with) WebSockets

HTTP HandshakeProves mutual agreement to speak WebSockets

Not intended to prove either trust or identity

User Agent should not establish plaintext WebSocket (ws:) from “secure” resource (https:)

Includes the Origin header

Must complete before another connection may be established to the same origin

9Thursday, December 13, 12

Page 10: Hacking (with) WebSockets

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-------+-+-------------+-------------------------------+|F|R|R|R| opcode|M| Payload len | Extended payload length | |I|S|S|S| (4) |A| (7) | (16/64) | |N|V|V|V| |S| | (if payload len==126/127) | | |1|2|3| |K| | | +-+-+-+-+-------+-+-------------+ - - - - - - - - - - - - - - - +| Extended payload length continued, if payload len == 127 | + - - - - - - - - - - - - - - - +-------------------------------+| |Masking-key, if MASK set to 1 | +-------------------------------+-------------------------------+| Masking-key (continued) | Payload Data | +-------------------------------- - - - - - - - - - - - - - - - +: Payload Data continued ... : + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +| Payload Data continued ... | +---------------------------------------------------------------+

Data Frame Details

10Thursday, December 13, 12

Page 11: Hacking (with) WebSockets

Variable LengthsDecimal Length (7 bits) Variable Length (16- or 64-bit)1 1 0 0 0 0 0 0 n/a128 0 1 1 1 1 1 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 065535 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 165536 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 . . .2^64 - 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 . . . 1 1 1 1 1 1 1 119 1 1 0 0 1 0 0 n/a19 0 1 1 1 1 1 1 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 019 1 1 1 1 1 1 1 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 . . .

11Thursday, December 13, 12

Page 12: Hacking (with) WebSockets

Masking Data 32-bit pseudo-random value, XOR byte by byte

Prevent the browser from being leveraged for cross-protocol attacks, cache poisoning

Ethernet00 18 0a 01 32 aa

dst 00:18:0a:01:32:aa

00 26 b0 f5 42 68

src 00:26:b0:f5:42:68

08 00

type 0x800

IPversion 4L

45

ihl 5L

00

tos 0x0

00 5f

len 95

e0 6cid 57452flags DF 40 00frag 0L

40

ttl 64

06

proto tcp

66 8a

chksum 0x668a

0a ab 5a 2c

src 10.171.90.44

ae 81e0 49

dst 174.129.224.73options []

TCP

f9 28

sport 63784

00 50dport http

fb 51 8d 7fseq 4216425855

ea d5 21 21

ack 3939836193dataofs 8L

80

reserved 0L

18

flags PA

82 18

window 33304

fa c2

chksum 0xfac2

00 00

urgptr 0

01 01 08 0a c5 4f 2d e2 61 5272 98

options [(’NOP’, None), (’[...]

WebSocketflags FIN

81opcode text framemask flag 1L

a5

length 37L

bd cc ef e0

mask 0xbdccefe0

e9 a4 8a 99 9a be 8a c0de a3 82 89 d3 ab cf 94 d2 ec 88 85 c9 ec 96 8fc8 e0 cf a2 dc be 8d 81 cf ad c1 ce 93

frame data ’\xe9\xa4\x8a\x99\[...]

bd cc ef e0 bd cc ef e0 bd ...e9 a4 8a 99 9a be 8a c0 de ...

T h e y ‘ r e c12Thursday, December 13, 12

Page 13: Hacking (with) WebSockets

Design Choices

Items transparent to JavaScript API

User Agents mask data to the server

“Ping” & “pong” frames for connection keep-alive

User Agent should minimize details for certain kinds of connection failures to prevent “better” host/port scanning

13Thursday, December 13, 12

Page 14: Hacking (with) WebSockets

Data Frame Security

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+---------------------------------------------------------------+| [ insert your protocol here ] | +---------------------------------------------------------------+| It is pitch dark. | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +| You are likely to be eaten by a grue. | +---------------------------------------------------------------+

The handshake provides the headers to create a security context

Cookies, CORS, Origin, etc.

Decoupling this information is dangerous

14Thursday, December 13, 12

Page 15: Hacking (with) WebSockets

What makes us worry

15Thursday, December 13, 12

Page 16: Hacking (with) WebSockets

(Don’t) Blame the Messenger

WebSockets still fall victim to “old” threats

WebSockets still have interesting things to discuss

16Thursday, December 13, 12

Page 17: Hacking (with) WebSockets

Mixed content handling If you can sniff http: you can sniff ws:

If you can intercept or inject, you can overtake ws:/wss:

It should be impossible to mix ws: with https: by RFC

WebKit doesn’t enforce this

17Thursday, December 13, 12

Page 18: Hacking (with) WebSockets

Denial of Service - ClientWebSockets connection limit is different than HTTP connection limit

Malicious content can exhaust browser by grabbing max. allowed number of WebSocket connections

go to http://www.slowhammer.me/now.html with mobile Safari

“..Yes, WebSocket is the first way to open an unlimited number of connections to a single server, so it indeed likely needs additional protection to prevent DOS attacks.But we don't really have a way to implement this correctly...”

https://bugs.webkit.org/show_bug.cgi?id=32246

18Thursday, December 13, 12

Page 19: Hacking (with) WebSockets

Denial of Service - Server

Malicious content can create large number of WebSocket connections to victim WebSocket server

Attacks like SlowLoris strive to maintain persistent connections thus draining server resources. WebSockets are naturally like that

Welcome!Lat

er!

19Thursday, December 13, 12

Page 20: Hacking (with) WebSockets

Are Browsers OK?

Still no mixed content handling policy implemented by WebKit-based (except Chromium)

Firefox still doesn’t let WebWorkers create WebSockets

Message sizes handled differently

20Thursday, December 13, 12

Page 21: Hacking (with) WebSockets

Fuzzing WSFuzzing WS data

Capturing real life data with JS

Fuzzing within a Browser

Fuzzing WS frameworks

Fuzzing WS handshake

Fuzzing WS Headers

21Thursday, December 13, 12

Page 22: Hacking (with) WebSockets

Fuzzing WS data with JSvar f_replace ='';var f_append ='';

WebSocket.prototype._send = WebSocket.prototype.send;WebSocket.prototype.send = function (data) { this._send(data); this.addEventListener('message', function (msg) { }, false); this.send = function (data) {

if(f_replace !='') { data = f_replace; } else if( f_append !='') { data = data + f_append; }

this._send(data); };}

22Thursday, December 13, 12

Page 23: Hacking (with) WebSockets

Fuzzing Frameworks

Getting Crashes (not yet)

Fingerprinting frameworks

23Thursday, December 13, 12

Page 24: Hacking (with) WebSockets

WebSocket++

Successful handshake:HTTP/1.1 101 Switching ProtocolsConnection: UpgradeSec-WebSocket-Accept: Pzio3NY64M/GFfA/kK4WJpj2xY4=Server: WebSocket++/0.2.0devUpgrade: websocket

Failed handshake:HTTP/1.1 404 Server: WebSocket++/0.2.0dev

Fingerprinting

24Thursday, December 13, 12

Page 25: Hacking (with) WebSockets

AutobahnPython

Successful handshake:HTTP/1.1 101 Switching ProtocolsConnection: UpgradeSec-WebSocket-Accept:fKrZviGIoYH4PrDbQ98Nvsbk2cU=Server: AutobahnPython/0.5.9Upgrade: WebSocket

Failed handshake:HTTP/1.1 400 WebSocket version 12 not supported (supported versions: 13,8,0)Sec-WebSocket-Version: 13,8,0

Fingerprinting

25Thursday, December 13, 12

Page 26: Hacking (with) WebSockets

Node.JS

Successful handshake:HTTP/1.1 101 Switching ProtocolsConnection: UpgradeSec-WebSocket-Accept:zSKX8MU5Omx1JXHacSpdN5a4ur4=Upgrade: websocket

Failed handshake:HTTP/1.1 426 Upgrade RequiredConnection: closeSec-WebSocket-Version: 13X-WebSocket-Reject-Reason: Unsupported websocket client version: 12Only versions 8 and 13 are supported.

Fingerprinting

26Thursday, December 13, 12

Page 27: Hacking (with) WebSockets

Looking for WS Security How to inspect WS traffic

How to manipulate WS traffic?

Are there browser plugins to help?

Are there proxies that support WebSockets?

27Thursday, December 13, 12

Page 28: Hacking (with) WebSockets

Tools

WireShark

Proxies(ZAProxy, Fiddler)

Chrome Developer Tools

overloaded WebSocket constructor and methods

28Thursday, December 13, 12

Page 29: Hacking (with) WebSockets

Wish You Were Here Unawareness of WebSocket protocol by security devices (firewalls, IDS, IPS) makes them ineffective against malicious traffic

Masking inhibits identifying patterns in traffic

Missing auxiliary data type information makes it even harder

Covert channels, command & control

Resurrect Loki (Phrack 49)

Sources of entropy: reserved flags, length representations, mask

29Thursday, December 13, 12

Page 30: Hacking (with) WebSockets

Is there anybody out there? We wrote a QtWebKit-based crawler with overloaded WebSocket ctor; whenever it’s called - we get a record in the DB. As simple as:

window._WebSocket = window.WebSocket;window.WebSocket = function(u, p) { cpp_accessible_obj.ws_url = u; cpp_accessible_obj.dumpToDB(); return new window._WebSocket(u, p);}

30Thursday, December 13, 12

Page 31: Hacking (with) WebSockets

Not really...

100K

200K

300K

400K

500K

600K

0 38 75 113 150

Distribution of Alexa Top 600K websites that use WebSockets

WebSocket instances found

Rang

es of

the s

ample

s

31Thursday, December 13, 12

Page 32: Hacking (with) WebSockets

Details? 0.15% of websites use WebSockets on landing page.

Less than 4% of captured WebSockets are using plain ws:

95% of total WebSockets connect to a single vendor’s customer support chat system

among remaining 5%, less than 1% are using encryption

32Thursday, December 13, 12

Page 33: Hacking (with) WebSockets

True picture is...

100K

200K

300K

400K

500K

600K

0 2 4 5 7

Distribution of Alexa Top 600K websites that use WebSockets

WebSocket instances found, excluding CS chat system

Rang

es of

the s

ample

s

33Thursday, December 13, 12

Page 34: Hacking (with) WebSockets

What makes them better

34Thursday, December 13, 12

Page 35: Hacking (with) WebSockets

Recommendations What it's good for

Time critical data delivery

Apps that require true bidirectional flow

Interactivity

Higher throughput

Remember, it doesn’t fix existing vulnerabilities

35Thursday, December 13, 12

Page 36: Hacking (with) WebSockets

Deploying a ServerCapacity planning & measurement to prevent self-inflicted DoS

Verify the Origin header

As always, assume the client is hostile -- don’t trust it

Be careful when implementing the HTTP handshake

Create a single-purpose HTTP handler, not a pseudo-web server

36Thursday, December 13, 12

Page 37: Hacking (with) WebSockets

Security of the tunneled protocolBeware of decoupling WebSocket session context from the HTTP session context

Watch for protocol mistakes

using session cookies as chat IDs (visible to the recipient)

replay

spoofing

fragmentation, overlapping fragments

server-side buffer overflows, underflows

37Thursday, December 13, 12

Page 38: Hacking (with) WebSockets

Remember Security Basicswss: means secure transport, not secure app

Authn/Authz

Session identifiers

Server-side input validation

Resource exhaustion

Failure states

38Thursday, December 13, 12

Page 39: Hacking (with) WebSockets

Summary WebSockets solve connection problems, not security problems.

Basic security principles still apply, especially for data frames’ content.

“The new port 80” -- security devices have poor (nonexistent!?) awareness of the protocol.

39Thursday, December 13, 12

Page 40: Hacking (with) WebSockets

Q&A

40Thursday, December 13, 12

Page 41: Hacking (with) WebSockets

Thank You!

Mike @CodexWebSecurumSergey @sshekyanVaagn @tukharian

41Thursday, December 13, 12

Page 43: Hacking (with) WebSockets

Interest in WebSockets?

43Thursday, December 13, 12


Recommended