How to fully control sessions? Check WebSocket cross-site hijacking (1)

How to fully control sessions? Check WebSocket cross-site hijacking (1)

WebSockets is an HTML5 feature that provides full-duplex channels for a single TCP connection. Its persistent connection function makes it possible to build real-time applications in B/S mode. Websockets is often used in WEB applications with chat functions.

The following figure illustrates the websockets used by an APT attack:

Popular Science:

Same origin policy: the Same origin policy refers to the Same domain name, protocol, and port. In other words, the browser checks the different tabs of the Same browser and the scripts with the Same source can be executed across tabs.

Origin field: the browser may add an Origin field when sending a POST request. This Origin field is mainly used to identify where the initial request was initiated. If the browser cannot determine where the source is, the value of the Origin field in the sent request is null.

IronWASP: an open-source WEB testing platform that allows users to customize security scanning and customize plug-in systems using python/ruby. See: http://www.freebuf.com/tools/32948.html

ZAP (Zed Attack Proxy) is a penetration testing framework integrated with a variety of tools, can be found in the WEB application vulnerabilities, see the Introduction: http://www.freebuf.com/tools/5427.html

WebSocket Security Assessment

Recently, we have evaluated the security of a WEB application with complex menu options and functions. Most of the operations in this application use web-sockets, which means that most of their behaviors are not recorded in the http Proxy log.

First, after we open the homepage, the website will load a static webpage with JS scripts and CSS files. After that, the communication will change to the Websockets mode, and a websocket connection will be established between the browser and the server to load all the HTML resources visible to the website. When you click the link or submit a Form, the browser will send some WebSocket messages to the server. After the server processes these messages, it will use WebSocket for feedback, and then the client browser will display new HTML content.

At this time, when a websocket message is interacting, the number of communications is very large. There is a heartbeat packet interaction between them every second. However, the existing tools cannot meet my requirements. I have to add a Websocket Message analysis device and a WebSocket client to IronWASP so that it can identify Websocket and try to fuzz its vulnerability. You can learn more here.

When I tested this application, I found that it had the Cross-Site WebSocket Hijacking Vulnerability (pioneered by christian schneider ). Of course, I will explain the impact of this vulnerability before introducing you to the test method. Before testing the relevant Websockets applications, we need to prepare them first.