Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/PalindromeLabs/awesome-websocket-security

Awesome information for WebSockets security research
https://github.com/PalindromeLabs/awesome-websocket-security

List: awesome-websocket-security

security security-tools web-application-security websocket websocket-security websockets websockets-security

Last synced: 16 days ago
JSON representation

Awesome information for WebSockets security research

Awesome Lists containing this project

README

        

# Awesome WebSockets Security

[![Awesome](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg)](https://github.com/sindresorhus/awesome)

A collection of CVEs, research, and reference materials related to WebSocket security

------

## Contents

- [WebSocket Library Vulnerabilities](#websocket_library_vulnerabilities)
- [Conference Talks](#conference_talks)
- [Common WebSocket Weaknesses](#common_weaknesses)
- [WebSocket Security Tools](#websocket_security_tools)
- [Bug Bounty Writeups](#bug_bounty_writeups)
- [Useful blog posts](#useful_blogs)

------

## WebSocket Library Vulnerabilities

This list of vulnerabilities attempts to capture WebSocket CVEs and
related issues in commonly encountered WebSockets server implementations.

| CVE ID | Vulnerable package | Related writeup | Vulnerability summary |
| :---- | :---------- | :-------------------- | :------ |
| [CVE-2021-42340](https://nvd.nist.gov/vuln/detail/CVE-2021-42340) | [Tomcat](https://github.com/uNetworking/uWebSockets) | [Apache mailing list](https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E) | DoS memory leak |
| [CVE-2021-33880](https://nvd.nist.gov/vuln/detail/CVE-2021-33880) | [Python websockets](https://github.com/aaugustin/websockets) | [GitHub Advisory](https://github.com/advisories/GHSA-8ch4-58qp-g3mp) | HTTP basic auth timing attack |
| [CVE-2021-32640](https://nvd.nist.gov/vuln/detail/CVE-2021-32640) | [ws](https://github.com/websockets/ws) | [GitHub Advisory](https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693) | Regex backtracking Denial of Service |
| [CVE-2020-36406](https://nvd.nist.gov/vuln/detail/CVE-2020-36406) | [uWebSockets](https://github.com/uNetworking/uWebSockets) | [OSS Fuzz Summary](https://github.com/google/oss-fuzz-vulns/blob/main/vulns/uwebsockets/OSV-2020-1695.yaml) | Stack buffer overflow |
| [CVE-2020-27813](https://nvd.nist.gov/vuln/detail/CVE-2020-27813) | [Gorilla](https://github.com/gorilla/websocket) | [GitHub Advisory](https://github.com/gorilla/websocket/security/advisories/GHSA-jf24-p9p9-4rjh) | Integer overflow |
| [CVE-2020-24807](https://nvd.nist.gov/vuln/detail/CVE-2020-24807) | [socket.io-file](https://github.com/rico345100/socket.io-file) | [Auxilium Security](https://blog.auxiliumcybersec.com/?p=2646) | File type restriction bypass |
| [CVE-2020-15779](https://nvd.nist.gov/vuln/detail/CVE-2020-15779) | [socket.io-file](https://github.com/rico345100/socket.io-file) | [Auxilium Security](https://blog.auxiliumcybersec.com/?p=2586) | Path traversal |
| [CVE-2020-15134](https://nvd.nist.gov/vuln/detail/CVE-2020-15134) | [faye-websocket](https://github.com/faye/faye-websocket-ruby) | [GitHub advisory](https://github.com/faye/faye/security/advisories/GHSA-3q49-h8f9-9fr9) | Lack of TLS certificate validation |
| [CVE-2020-15133](https://nvd.nist.gov/vuln/detail/CVE-2020-15133) | [faye-websocket](https://github.com/faye/faye-websocket-ruby) | [GitHub advisory](https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv) | Lack of TLS certificate validation |
| [CVE-2020-11050](https://nvd.nist.gov/vuln/detail/CVE-2020-11050) | [Java WebSocket](https://tootallnate.github.io/Java-WebSocket/) | [GitHub advisory](https://github.com/TooTallNate/Java-WebSocket/security/advisories/GHSA-gw55-jm4h-x339) | SSL hostname validation not performed |
| [CVE-2020-7663](https://nvd.nist.gov/vuln/detail/CVE-2020-7663) | [Ruby websocket-extensions](https://rubygems.org/gems/websocket-extensions) | [Writeup](https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions/) | Regex backtracking Denial of Service |
| [CVE-2020-7662](https://nvd.nist.gov/vuln/detail/CVE-2020-7662) | [npm websocket-extensions](https://rubygems.org/gems/websocket-extensions) | [Writeup](https://snyk.io/blog/regular-expression-denial-of-service-in-websocket-extensions/) | Regex backtracking Denial of Service |
| None | [Socket.io](https://github.com/socketio/socket.io) | [GitHub Issue](https://github.com/socketio/socket.io/issues/3671) | CORS misconfiguration |
| [CVE-2018-1000518](https://nvd.nist.gov/vuln/detail/CVE-2018-1000518) | [Python websockets](https://github.com/aaugustin/websockets) | [GitHub PR](https://github.com/aaugustin/websockets/pull/407) | DoS via memory exhaustion when decompressing compressed data |
| None | [Tornado](https://github.com/tornadoweb/tornado) | [GitHub PR](https://github.com/tornadoweb/tornado/pull/2391) | DoS via memory exhaustion when decompressing compressed data |
| [CVE-2018-21035](https://nvd.nist.gov/vuln/detail/CVE-2018-21035) | [Qt WebSockets](https://doc.qt.io/qt-5/qtwebsockets-index.html) | [Bug report](https://bugreports.qt.io/browse/QTBUG-70693) | Denial of service due large limit on message and frame size |
| [CVE-2017-16031](https://nvd.nist.gov/vuln/detail/CVE-2017-16031) | [socket.io](https://socket.io/) | [GitHub Issue](https://github.com/socketio/socket.io/issues/856) | Socket IDs use predictable random numbers |
| [CVE-2016-10544](https://nvd.nist.gov/vuln/detail/CVE-2016-10544) | [uWebSockets](https://github.com/uNetworking/uWebSockets) | [npm advisory](https://www.npmjs.com/advisories/149) | Denial of service due to large limit on message size |
| [CVE-2016-10542](https://nvd.nist.gov/vuln/detail/CVE-2016-10542) | [NodeJS ws](https://www.npmjs.com/package/ws) | [npm advisory](https://www.npmjs.com/advisories/120) | Denial of service due to large limit on message size |
| None | [draft-hixie-thewebsocketprotocol-76](https://tools.ietf.org/html/draft-hixie-thewebsocketprotocol-76) | [Writeup](https://webcache.googleusercontent.com/search?q=cache:oPoZu0vomjYJ:https://www.ietf.org/mail-archive/web/hybi/current/msg04744.html+&cd=1&hl=en&ct=clnk&gl=us) | |

------

## Conference Talks, Papers, Notable Blog Posts

## 2011

- Talking to Yourself for Fun and Profit [Paper](http://www.adambarth.com/papers/2011/huang-chen-barth-rescorla-jackson.pdf)

### 2012

- Blackhat 2012 - Mike Shema, Sergey Shekyan, Vaagn Toukharian - Hacking with WebSockets [Video](https://www.youtube.com/watch?v=-ALjHUqSz_Y)

### 2019

- Hacktivity 2019 - Mikhail Egorov - What’s Wrong with WebSocket APIs? Unveiling Vulnerabilities in WebSocket APIs [Video](https://www.youtube.com/watch?v=gANzRo7UHt8)
- DerbyCon 2019 - Michael Fowl, Nick Defoe - Old Tools New Tricks Hacking WebSockets [Video](https://www.youtube.com/watch?v=MhxayMPknFI)

### 2021

- OWASP Global AppSec US 2021 - Erik Elbieh - We’re not in HTTP anymore: Investigating WebSocket Server Security [Tool](https://github.com/PalindromeLabs/STEWS) [Paper](https://github.com/PalindromeLabs/STEWS/blob/main/paper.pdf) [Video](https://www.youtube.com/watch?v=bMFP71UAbPo)

------

## Common WebSocket Weaknesses

### Unencrypted WebSockets

- Black Hills WebSocket testing guide: [Link](https://www.blackhillsinfosec.com/how-to-hack-websockets-and-socket-io/)

### Cross-Site WebSocket Hijacking (CSWSH)
- Original CSWSH blog post by Christian Schneider: [Link](https://christian-schneider.net/CrossSiteWebSocketHijacking.html)
- PortSwigger Web Academy CSWSH lab: [Link](https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking)

### Insecure Authentication Mechanism
- Stratum Security blog post: [Link](https://blog.stratumsecurity.com/2016/06/13/websockets-auth/)
- Heroku WebSocket Security: [Link](https://devcenter.heroku.com/articles/websocket-security#authentication-authorization)

### Reverse Proxy Bypass using Upgrade Header
- Mikhail Egorov's initial PoC from Hacktivity 2019: [Link](https://github.com/0ang3el/websocket-smuggle)
- Jake Miller's HTTP 2 smuggling tool based on Mikhail's PoC work: [Link](https://github.com/BishopFox/h2csmuggler)
- AssetNote blog post with golang h2smuggler tool: [Link](https://blog.assetnote.io/2021/03/18/h2c-smuggling/)

## DOM-based WebSocket-URL poisoning
- Portswigger summary: [Link](https://portswigger.net/web-security/dom-based/websocket-url-poisoning)

------

## Useful Blog Posts & Resources

- Portscanning using WebSockets [Link](https://medium.com/@stestagg/stealing-secrets-from-developers-using-websockets-254f98d577a0)
- WebSocket fuzzing with Kitty fuzzing framework [Link](https://snikt.net/blog/2019/05/22/to-fuzz-a-websocket/)
- WebSocket fuzzing harness [Link](https://vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/)
- Project Zero WebSockets-based buffer overflow [Link](https://googleprojectzero.blogspot.com/2020/02/several-months-in-life-of-part2.html)
- Reserved Extension, Subprotocol values [Link](https://www.iana.org/assignments/websocket/websocket.xml#subprotocol-name)

------

## WebSocket Security Tools

### Discovery, Fingerprinting, Vulnerability Detection
- STEWS [GitHub](https://github.com/PalindromeLabs/STEWS)

### Fuzzing
- websocket-fuzzer [GitHub](https://github.com/andresriancho/websocket-fuzzer)
- websocket-harness [GitHub](https://github.com/VDA-Labs/websocket-harness)

### Playgrounds
- DVWS: A purposefully vulnerable WebSocket demo [GitHub](https://github.com/interference-security/DVWS)
- WebSocket-Playground: Jumpstart multiple WebSockets servers [GitHub](https://github.com/PalindromeLabs/WebSockets-Playground)

### General Utilities & Tools

- WebSocket King [in-browser tool](https://websocketking.com/)
- Hoppscotch.io [in-browser tool](https://hoppscotch.io/realtime)
- websocat [GitHub](https://github.com/vi/websocat)
- wsd [GitHub](https://github.com/alexanderGugel/wsd)

------

## Bug Bounty Writeups

### CSWSH bugs

- [Slack H1 #207170](https://hackerone.com/reports/207170): CSWSH (plus [an additional writeup](https://labs.detectify.com/2017/02/28/hacking-slack-using-postmessage-and-websocket-reconnect-to-steal-your-precious-token/))
- [Facebook](https://ysamm.com/?p=363): CSWSH
- [Stripo H1 #915541](https://hackerone.com/reports/915541): CSWSH
- [Coda H1 #535436](https://hackerone.com/reports/535436): CSWSH
- [Legal Robot #211283](https://hackerone.com/reports/211283): CSWSH
- [Legal Robot H1 #274324](https://hackerone.com/reports/274324): CSWSH
- [Grammarly #395729](https://hackerone.com/reports/395729): CSWSH
- [Undisclosed target](https://sharan-panegav.medium.com/account-takeover-using-cross-site-websocket-hijacking-cswh-99cf9cea6c50): CSWSH
- [Undisclosed target](https://medium.com/bugbountywriteup/one-token-to-leak-them-all-the-story-of-a-8000-npm-token-79b13af182a3): CSWSH

### Other bugs

- [PlayStation H1 #873614](https://hackerone.com/reports/873614): Remote code execution over WebSockets
- [Shopify H1 #409701](https://hackerone.com/reports/409701): SSRF over WebSockets
- [QIWI H1 #512065](https://hackerone.com/reports/512065): DOM XSS over WebSockets
- [NodeJS H1 #868834](https://hackerone.com/reports/868834): DoS because no timeout to close unresponsive connections
- [Bitwala H1 #862835](https://hackerone.com/reports/862835): Broken authentication
- [Shopify H1 #1023669](https://hackerone.com/reports/1023669): Broken authentication
- [Legal Robot H1 #163464](https://hackerone.com/reports/163464): Information leak
- [GitHub H1 #854439](https://hackerone.com/reports/854439): Arbitrary SQL queries via injection
- [Undisclosed target](https://footstep.ninja/posts/idor-via-websockets/): IDOR over WebSockets
- [Undisclosed target on BugCrowd](https://medium.com/@osamaavvan/exploiting-websocket-application-wide-xss-csrf-66e9e2ac8dfa): XSS over WebSockets