Web Sockets Everywhere!

We have been dominated by web sockets. Yes, the time has come, technology is dominating us. Wait, what web socket is initiated over HTTP! 😂

Two days ago, I was reading about Ajax, I stumbled upon the term web sockets, and just like any other ignorant being, the show must go on 😆 Two days later, I decided to start with the Portswigger labs and scrolling to choose a random topic and yet again web sockets came in my way. The universe was giving me signs and this time, I took it and today morning started to learn a bit about Web Sockets (let's call it WS instead of Web Sockets).

And god, it took my day, there is a lot to know about it, and this article is me sharing my day with you.

First Line that caught my attention was it is initiated over HTTP and the security guy inside of me started throwing question.

What are Web Sockets???

• Upgrade for HTTP, like literally.
• When you need full-duplex (Server&Client talking to each other - bidirectional) connections.
• Native Web socket support is in JavaScript, though it supports other clients as well.
• Two protocols could be useful for establishing web sockets connections - ws - web socket and wss - web socket secure (that's what I think that acronym is 😆)
• Examples: chatting applications, web-based games, and anything that requires real-time connections.

How is it an upgrade for HTTP?

HTTP send headers along with each request, which increases the latency, thus making it slower in comparison whereas WS don't, they send header once and then keep the connection on till required, and yeah you guessed it right a lot faster than AJAX.

We have been talking a lot about HTTP and WS header what differences are there, so to understand I opened up Slack and decided to go to the developer tools section!

This is what I got!!! 😧

Response Header

HTTP/1.1 101 Switching Protocols
upgrade: websocket
connection: Upgrade
sec-websocket-accept: oj8LcmKK/eSwbxqeLkHKwJx3TvQ=
sec-websocket-extensions: xxx

The response header contains several hints that suggest WS are being used, 101 Switching Protocols, Upgrade and Connection suggests upgrade in connection protocols.

Request Header

Host: wss-primary.slack.com
User-Agent: xxx
Sec-WebSocket-Version: 13
Origin: https://app.slack.com
Sec-WebSocket-Extensions: xxx
Sec-WebSocket-Key: 1N5BmOgjVY1OcHvXPvrBhQ==
Connection: keep-alive, Upgrade
Cookie: xxx
Upgrade: websocket

Similarly in request headers, Sec-WebSocket-Version is present as well as Connection and Upgrade suggests upgrade in protocols.

All being said, Not everything is rainbows & unicorns.

Everything wrong with Web Sockets!

• Never trust user input, I can't emphasize it enough. Properly crafted malicious inputs can lead to SQL Injection XXE Injection on the client's side.
• If the WS connection is not secure enough then the malicious actor can transmit data to other users.
• No default authentication method. It takes data forwarded from HTTP, like cookies, etc and can thus lead to Cross-Site Web Socket Hijacking. Therefore, a separate mechanism for authentication is required for the transmission of sensitive data.
• The main concern that comes out of WS are as they arise from HTTP, "any web security vulnerability that arises with regular HTTP can also arise about Web Sockets communications"
• WS Needs special configurations for load balancing.
• Ummm, etc...

Web Sockets are a tool which if used properly, can be a real gift, and if not, may God be with you!

This was my day, summed up in an article 😂 I hope you learned something from it! Check out the references for more in-depth information!

References

• A Beginner's Guide to Web Sockets by Dion Misic at PyCon Australia in August 2018.
• Web Socket Security

Peace Out!