Awesome WebSockets Security

January 10, 2022 · View on GitHub

Awesome

A collection of CVEs, research, and reference materials related to WebSocket security

Contents

WebSocket Library Vulnerabilities

This list of vulnerabilities attempts to capture WebSocket CVEs and related issues in commonly encountered WebSockets server implementations.

CVE IDVulnerable packageRelated writeupVulnerability summary
CVE-2021-42340TomcatApache mailing listDoS memory leak
CVE-2021-33880Python websocketsGitHub AdvisoryHTTP basic auth timing attack
CVE-2021-32640wsGitHub AdvisoryRegex backtracking Denial of Service
CVE-2020-36406uWebSocketsOSS Fuzz SummaryStack buffer overflow
CVE-2020-27813GorillaGitHub AdvisoryInteger overflow
CVE-2020-24807socket.io-fileAuxilium SecurityFile type restriction bypass
CVE-2020-15779socket.io-fileAuxilium SecurityPath traversal
CVE-2020-15134faye-websocketGitHub advisoryLack of TLS certificate validation
CVE-2020-15133faye-websocketGitHub advisoryLack of TLS certificate validation
CVE-2020-11050Java WebSocketGitHub advisorySSL hostname validation not performed
CVE-2020-7663Ruby websocket-extensionsWriteupRegex backtracking Denial of Service
CVE-2020-7662npm websocket-extensionsWriteupRegex backtracking Denial of Service
NoneSocket.ioGitHub IssueCORS misconfiguration
CVE-2018-1000518Python websocketsGitHub PRDoS via memory exhaustion when decompressing compressed data
NoneTornadoGitHub PRDoS via memory exhaustion when decompressing compressed data
CVE-2018-21035Qt WebSocketsBug reportDenial of service due large limit on message and frame size
CVE-2017-16031socket.ioGitHub IssueSocket IDs use predictable random numbers
CVE-2016-10544uWebSocketsnpm advisoryDenial of service due to large limit on message size
CVE-2016-10542NodeJS wsnpm advisoryDenial of service due to large limit on message size
Nonedraft-hixie-thewebsocketprotocol-76Writeup

Conference Talks, Papers, Notable Blog Posts

2011

  • Talking to Yourself for Fun and Profit Paper

2012

  • Blackhat 2012 - Mike Shema, Sergey Shekyan, Vaagn Toukharian - Hacking with WebSockets Video

2019

  • Hacktivity 2019 - Mikhail Egorov - What’s Wrong with WebSocket APIs? Unveiling Vulnerabilities in WebSocket APIs Video
  • DerbyCon 2019 - Michael Fowl, Nick Defoe - Old Tools New Tricks Hacking WebSockets Video

2021

  • OWASP Global AppSec US 2021 - Erik Elbieh - We’re not in HTTP anymore: Investigating WebSocket Server Security Tool Paper Video

Common WebSocket Weaknesses

Unencrypted WebSockets

  • Black Hills WebSocket testing guide: Link

Cross-Site WebSocket Hijacking (CSWSH)

  • Original CSWSH blog post by Christian Schneider: Link
  • PortSwigger Web Academy CSWSH lab: Link

Insecure Authentication Mechanism

  • Stratum Security blog post: Link
  • Heroku WebSocket Security: Link

Reverse Proxy Bypass using Upgrade Header

  • Mikhail Egorov's initial PoC from Hacktivity 2019: Link
  • Jake Miller's HTTP 2 smuggling tool based on Mikhail's PoC work: Link
  • AssetNote blog post with golang h2smuggler tool: Link

DOM-based WebSocket-URL poisoning

  • Portswigger summary: Link

Useful Blog Posts & Resources

  • Portscanning using WebSockets Link
  • WebSocket fuzzing with Kitty fuzzing framework Link
  • WebSocket fuzzing harness Link
  • Project Zero WebSockets-based buffer overflow Link
  • Reserved Extension, Subprotocol values Link

WebSocket Security Tools

Discovery, Fingerprinting, Vulnerability Detection

Fuzzing

Playgrounds

  • DVWS: A purposefully vulnerable WebSocket demo GitHub
  • WebSocket-Playground: Jumpstart multiple WebSockets servers GitHub

General Utilities & Tools

Bug Bounty Writeups

CSWSH bugs

Other bugs