DeepSec 2019 Talk: What’s Wrong with WebSocket APIs? Unveiling Vulnerabilities in WebSocket APIs – Mikhail Egorov
WebSocket protocol is many times more efficient than HTTP. In recent years we can observe that developers tend to implement functionality in the form of WebSocket APIs instead of traditional REST APIs, that use HTTP. Modern technologies and frameworks simplify the building of efficient WebSocket APIs. We can name GraphQL subscriptions or Websocket APIs supported in Amazon API Gateway.
WebSockets APIs have a different security model compared to REST APIs, resulting in unique attack vectors. Nevertheless, developers rarely take them into account.
WebSockets in browsers do not use the same-origin policy (SOP) concept, their security model is based on origin check. Out-of-the-box WebSockets provide no authentication and authorization mechanisms. WebSocket protocol is stateful and has two main phases: A handshake and data transfer phase. Most of the time authentication and authorization logic is implemented in the handshake phase, while the subsequent data transfer doesn’t have such mechanisms. Usually, this leads to severe security issues.
We will talk about CSRF issues, authorization bypass and IDOR issues, found in real web applications and disclosed through Bug Bounty programs.
We asked Mikhail a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- WebSocket is a super efficient protocol for communication.
- Over the years we observe increasing usage of WebSocket API and protocols based on WebSockets instead of traditional REST API and HTTP.
- The security model of WebSocket API is different from REST API and quite often misunderstood by developers.
- Security researchers and bug hunters should give more attention to WebSocket protocol and its applications.
- I’ll talk about CSWSH, authentication and authorization logic bypass, and IDOR vulnerabilities I’ve found in real web applications.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
I’m a full-time bug hunter. And observe WebSocket API participating in Bug Bounty programs. In my talk I want to share my unique experience and some ideas regarding how to test the security of WebSocket API.
Why do you think this is an important topic?
WebSocket API becomes more and more widespread. All major browsers support WebSocket protocol. Major cloud providers (AWS, Google, Azure) added support for WebScokets on their platforms recently as well. Protocols such as wamp and stomp built on top of WebSocket protocol are quite popular. At the same time there are “grey” areas related to WebSockets protocol security that are not well-understood by developers like the origin-based model, authentication and authorization, or the reverse proxying of WebSocket connections.
Is there something you want everybody to know – some good advice for our readers maybe?
My talk will be interesting in particular to pentesters, bug hunters, application security experts and developers. I created WebSocket challenge on https://challenge.0ang3el.tk/websocket.html. You can come and try to hack it. There will be more challenges soon. During the talk I’ll explain the intended solutions.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
I hope to see more great researches and unique vulnerabilities related to WebSocket security in the future.
Here you can find CTF challenges related to Mikhails Talk:
https://challenge.0ang3el.tk/websocket.html
https://challenge2.0ang3el.tk/websocket.html
Good luck!
Whitehat, security researcher, bug hunter, conference speaker. Active on Bugcrowd and H1 platforms. Researching security of clouds, web and mobile applications. Acknowledged by Microsoft, Adobe, RedHat, SAP, AT&T, Atlassian, Uber, Netflix, Tesla, General Motors, Western Union, Sophos, Netgear, etc. for reported vulnerabilities. Gave technical talks at LevelUp, Troopers, Hack In The Box, Hacktivity, ZeroNights, PHDays, and HighLoad conference.