In the modern world of web development, there are a set of new and emerging specifications sometimes grouped under the moniker HTML5. One of those specifications is the WebSocket API, which enables two-way communications.
WebSockets offer the promise of faster communications than traditional TCP — but according to a pair of security researchers, there is a hidden risk. Speaking at the Black Hat conference last week, Qualys engineers Sergey Shekyan and Vaagn Toukharian detailed how WebSockets could be exploited for malicious gain.
Support for WebSockets is currently available in the latest Chrome, Firefox, Safari, and IE 10 web browsers. According to the two researchers, WebSockets are already in use by websites and embedded applications around the world today, and often without proper security.
“We think that user capacity may be an issue with WebSockets if it’s not implemented in the right way,” Toukharian told eSecurity Planet. “WebSockets can be used for lots of things, but they shouldn’t be used for all items on a web page.”
He stressed that WebSockets don’t make sense to use in applications that don’t need bi-directional communications or a fast response time.
Different browsers also support WebSockets in unique ways. In particular, Shekyan noted that there are some important things that are not implemented in WebKit, which is the underlying engine that powers Chrome and Safari.
Shekyan explained that the current WebSockets specification states that there should only be one WebSocket in a connecting state at a time. According to Shekyan, WebKit does not implement that specification.
“So if a server is not accepting connections fast enough, then you shouldn’t try and open a new connection before the previous one was accepted,” Shekyan said. “That would prevent DoS (Denial of Service) attacks.”
According to Shekyan, an attacker could theoretically open an unlimited number of WebSocket connections from a single machine with WebKit to a third party server. Firefox also doesn’t quite follow the WebSocket specification and it can allow up to 200 connections.
Toukharian added that from a security perspective, WebSockets don’t make applications more secure — but they do provide a new attack vector for hackers. Traditional web attacks like Cross Site Scripting (XSS) and Man in the Middle (MitM) attacks can find a new home in WebSocket traffic.
“Basically, if an attacker has access to content that initiates a WebSockets connection, then that connection could be compromised,” Shekyan said.
The other key issue is that since WebSocket technology is still relatively new, Shekyan argued that most firewall and IPS network security devices are not aware of them. As such, WebSocket traffic is not inspected or secured by the same mechanisms as other web traffic.
“If someone can deliver malicious content over WebSockets, the rest of the protection is useless,” Shekyan said. “Vendors should really start at looking at handling the WebSockets protocol.”
The challenge is one of usage. Toukharian added that if there was more use of WebSockets, than it’s likely vendors would take more notice. Shekyan noted that he talked with one of the firewall vendors about the risk of not supporting WebSockets. The surprising response that he got back is that WebSockets are not currently a major attack vector and as such it doesn’t matter.
“Malware delivery via WebSockets becomes easier since IDS and Firewall technology can’t see what is being delivered,” Toukharian said. “It’s just a matter of unmasking the data and looking at the traffic, it’s not very hard.
“Our hope is that Firewall and IPS vendors pick it up as soon as possible,” Toukharian added.