We have been dominated by web sockets. Yes, the time has come, technology is dominating us. Wait, what web socket is initiated over HTTP! 😂
Two days ago, I was reading about Ajax, I stumbled upon the term web sockets, and just like any other ignorant being, the show must go on 😆 Two days later, I decided to start with the Portswigger labs and scrolling to choose a random topic and yet again web sockets came in my way. The universe was giving me signs and this time, I took it and today morning started to learn a bit about Web Sockets (let's call it WS instead of Web Sockets).
And god, it took my day, there is a lot to know about it, and this article is me sharing my day with you.
First Line that caught my attention was it is initiated over HTTP and the security guy inside of me started throwing question.
- Upgrade for HTTP, like literally.
- When you need full-duplex (Server&Client talking to each other - bidirectional) connections.
- Two protocols could be useful for establishing web sockets connections -
ws - web socketand
wss - web socket secure(that's what I think that acronym is 😆)
- Examples: chatting applications, web-based games, and anything that requires real-time connections.
HTTP send headers along with each request, which increases the latency, thus making it slower in comparison whereas WS don't, they send header once and then keep the connection on till required, and yeah you guessed it right a lot faster than AJAX.
We have been talking a lot about HTTP and WS header what differences are there, so to understand I opened up Slack and decided to go to the developer tools section!
This is what I got!!! 😧
HTTP/1.1 101 Switching Protocols upgrade: websocket connection: Upgrade sec-websocket-accept: oj8LcmKK/eSwbxqeLkHKwJx3TvQ= sec-websocket-extensions: xxx
The response header contains several hints that suggest WS are being used, 101 Switching Protocols,
Connection suggests upgrade in connection protocols.
Host: wss-primary.slack.com User-Agent: xxx Sec-WebSocket-Version: 13 Origin: https://app.slack.com Sec-WebSocket-Extensions: xxx Sec-WebSocket-Key: 1N5BmOgjVY1OcHvXPvrBhQ== Connection: keep-alive, Upgrade Cookie: xxx Upgrade: websocket
Similarly in request headers,
Sec-WebSocket-Version is present as well as
Upgrade suggests upgrade in protocols.
All being said, Not everything is rainbows & unicorns.
- Never trust user input, I can't emphasize it enough. Properly crafted malicious inputs can lead to SQL Injection XXE Injection on the client's side.
- If the WS connection is not secure enough then the malicious actor can transmit data to other users.
- No default authentication method. It takes data forwarded from HTTP, like cookies, etc and can thus lead to Cross-Site Web Socket Hijacking. Therefore, a separate mechanism for authentication is required for the transmission of sensitive data.
- The main concern that comes out of WS are as they arise from HTTP, "any web security vulnerability that arises with regular HTTP can also arise about Web Sockets communications"
- WS Needs special configurations for load balancing.
- Ummm, etc...
Web Sockets are a tool which if used properly, can be a real gift, and if not, may God be with you!
This was my day, summed up in an article 😂 I hope you learned something from it! Check out the references for more in-depth information!
- A Beginner's Guide to Web Sockets by Dion Misic at PyCon Australia in August 2018.
- Web Socket Security