Day-4: WebSocket! Wait, what???

th3lazykid

FENIL SHAH

Posted on June 20, 2020

Day-4: WebSocket! Wait, what???

Day-4: Okay so I was scrolling on Twitter and read this,Alt Text This made me think what the heck is WebSocket? I never heard about it before!đź‘€

Also, he got $8000 as Bug bounty for his submission on another report! Basically, it was somewhat related to Npm token as well as WebSocket hijacking! At first, I watched his WriteUp Video and then read his WriteUp but was not clear so I thought let's understand the concept and then maybe I understand what he wanted to say!

What is WebSocket?

  • Ohhhh lol, Websocket is just like Http, a communication protocol that enables interaction between a browser and a web server. I thought it was linked with a socket or something (Just Kidding)!

  • WebSocket is especially great for services that require continuous data exchange, e.g. online games, real-time trading systems and so on. For example, Slack’s web app uses WebSocket connections to sync messages in its chat functionality.

  • During the lifetime of a WebSocket connection, the client and the server are free to exchange any amount of data without incurring the overhead and latency of using traditional HTTP requests.

  • For more good Understanding I prefer you to watch this https://www.youtube.com/watch?v=ZbrEztkwcw8!

How WebSocket it different from HTTP?

How WebSocket connections are created?

  • A WebSocket connection between a client and a server is established through a WebSocket handshake.
  • To open a WebSocket connection, we need to create new WebSocket using the special protocol ws:// in the URL.
  • There's also an encrypted wss:// protocol. It’s like HTTPS for WebSockets.

Problems with WebSocket?

  • WebSocket allows an unlimited number of connections to the target server and thus resources on the server can be exhausted because of DOS attack.
  • WebSockets are vulnerable to malicious input data attacks, therefore leading to attacks like Cross-Site Scripting (XSS).
  • The Websocket protocol doesn’t handle authorization and/or authentication. Application-level protocols should handle that separately in case sensitive data is being transferred.
  • Also, some more problems, Do refer WebSocket Issues for the same!

PS: Now I got Idea what actually WebSocket is, So probably I'll do research about Hijacking WebSockets on Day-5! I hope my notes from different websites are/will helping/help you! Thanks!❤️


Resources

Aseem's WriteUp: https://medium.com/@aseem.shrey/one-token-to-leak-them-all-the-story-of-a-8000-npm-token-79b13af182a3
Aseem's WriteUp Video: YouTube
Javascript Docs: https://javascript.info/websocket
Infosecinstitue: WebSocket Issues

Contact:

Got doubts? Contact me on Twitter.
Feedbacks are welcomed, do comment it down below! :)

đź’– đź’Ş đź™… đźš©
th3lazykid
FENIL SHAH

Posted on June 20, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

Day-4: WebSocket! Wait, what???
cybersecurity Day-4: WebSocket! Wait, what???

June 20, 2020