WebSocket Security



@oscartong

Topics


  • Protocol Stack
  • HTTP Security
  • WebSocket Protocol Security
  • How to hack

Protocol Stack


HTTP Security

  • HTTP Authentication
  • HTTPS
  • Cookie

HTTP Authentication



HTTP Authentication


base64( username:password )

HTTP Authentication


  • http://username:password@www.example.com/...
  • Authorization: Basic base64(username:password)

    GET /secret.html HTTP/1.1Host: www.example.comAuthorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==...

    HTTPS


    • Identification Verification
      • Cerification
    • Data encryption
      • Asymmetric encryption
      • Symmetric encryption

    HTTPS


    HTTPS

    HTTPS


    Cookie


    Cookie

    Setting cookies
    > GET /index.html HTTP/1.1> Host: www.example.org
    < HTTP/1.1 200 OK< Content-Type: text/html< Set-Cookie: name=value< Set-Cookie: name2=value2; Expires=Wed, 09 Jun 2021 12:34:56 GMT
    > GET /spec.html HTTP/1.1> Host: www.example.org> Cookie: name=value; name2=value2

    WebSocket Protocol Security


    • Protocol
    • Handshake Challenge
    • Data Masking

    WebSocket Protocol


    Handshake Challenge

    GET /chat HTTP/1.1Host: www.example.comOrigin: http://www.example.comUpgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhIHNhbXBsZSBub25jZQ==Sec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13
    HTTP/1.1 101 Switching ProtocolsUpgrade: websocketConnection: UpgradeSec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=Sec-WebSocket-Protocol: chat

    Handshake Challenge


    • Sec-WebSocket-Key
    • Sec-WebSocket-Accept

    GUID = '258EAFA5-E914-47DA-95CA-C5AB0DC85B11';Sec-WebSocket-Accept = base64( sha1( Sec-WebSocketKey + GUID ));

    Data Masking

    Frame
      0               1               2               3
      0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
     +-+-+-+-+-------+-+-------------+------------------------------+
     |F|R|R|R| Opcode|M| Payload len |    Extended payload length   |
     |I|S|S|S|  (4)  |A|     (7)     |          (16 or 64)          |
     |N|V|V|V|       |S|             |  (if payload len == 126/127) |
     | |1|2|3|       |K|             |                              |
     +-+-+-+-+-------+-+-------------+------------------------------+
     |    Extended payload length continued, if payload len == 127  |
     +-------------------------------+------------------------------+
     |                               |Masking-key, if MASK set to 1 |
     +-------------------------------+------------------------------+
     |     Masking-key continued     |        Payload Data          |
     +-------------------------------+------------------------------+
     :                   Payload Data continued ...                 :
     +--------------------------------------------------------------+
     |                   Payload Data continued ...                 |
     +--------------------------------------------------------------+
    

    Data Masking

    • MaskedPayload[i] = Payload[i] ^ Mask[i%4]
    • Payload[i] = MaskedPayload[i] ^ Mask[i%4]

     
    "HelloWorld"  >>  "õ©ÒѨ"

    How to hack


    • Spy the traffic
    • Man-in-the-middle
    • Hijack iPhone

    Spy the traffic



    Man in the middle


    Thanks


    Q&A

    WebSocket Security

    By Oscar Tong

    WebSocket Security

    • 4,646