Hacking with WebSockets¶
Date: | 2012-07-26 |
---|---|
Speakers: | Mike Shema, Sergey Shekyan, Vaagn Toukharian |
Slides: | http://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf |
The Gist¶
- “Behold the bi-directional browser”
- 2-way comm
- Untrusted code
- Forcing persistence on a non-persistent protocol!
- RFC 6455
- Tunnel arbitrary data (JSON, XML, HTML, images, video, sound... ANOTHER PROTOCOL)
WebSocket Emulation¶
- web-socket.js - Flash raw sockets with Flash “security”
- sockjs-client - Pure JS
- Force HTML5 in non-HTML5 browser
Why Worry!¶
- 0.15% of sites today use WebSockets
- Most are for support chat (95%)
- Among remaining 5%, < 1% using crypto
- OLD THREATS (DoS, MitM)