Thursday, November 27, 2014

Analysing, Testing and Fuzzing WebSocket Implementations with IronWASP

WebSockets is an HTML5 feature that is seeing some good adaptation in newer websites. It is an asynchronous persistent full-duplex communication system and therefore is completely different from HTTP and AJAX. In some sense testing applications using WebSockets is similar to testing thick-clients using their own custom protocols because each WebSocket implementation could be designed very differently from the other.

Given how complex and unique WebSocket implementations can be and how it is difficult to properly analyse and test them using existing tools, I have tried to take a stab at the problem.

I have added five new tools to IronWASP that are dedicated to WebSocket Security Testing:

1) WebSocket Message Analyzer
An utility to analyse complex WebSocket implementations in a simple way. Check out this report of of our WebSocket Demo Application.

2) Online Cross-Site WebSocket Hijacking Tester
An online tool to easily check for CSWSH issues. Check it out here.
To understand more about Cross-Site WebSocket Hijacking check out this post on NotSoSecure

3) WebSocket Client
Versatile WebSocket client that lets you send store and send multiple messages along with setting custom Origin and Cookie headers. Perfect for checking Cross-Site WebSocket Hijacking and other WebSocket issues.

4) WebSocket Scripting API for Python and Ruby
To automated checks and write custom fuzzers for WebSocket implementations. Generic fuzzers don't work for asynchronous protocols like WebSockets.
Check out these code samples on Gist:

5) WebSocket Demo App
A sample vulnerable application that is built to use WebSockets heavily. Good test bed to test and learn WebSocket security testing.

Do check out the post I have made on NotSoSecure for more information on WebSocket Security and for the need behind making these tools.

I demos most of these tools at the Ground Zero Security conference recently and also at null Bangalore.

Here are some videos where I have tired to show how these tools can be used to test WebSocket implementations:

Some screenshots of these tools:
Menu Option to launch two of the 5 messages
Results of the WebSocket Message Analyzer

Online Cross-Site WebSocket Hijacking Tester

CSWSH Tester in action

Testing with IronWASP's WebSocket Client

Scripting with WebSocket Testing API

The WebSocket Demo Application
All of these tools should make WebSocket Security Testing easier than it currently is. Hope you find these useful and if you find any of them lacking in any area then do drop a comment, I will try to address those needs.

Please follow the IronWASP twitter account for all project updates.

Post by Lavakumar Kuppan

1 comment: