WebSocket is a relatively new technology that enables a persistent connection between client and server over TCP protocol. In other words, it allows bi-directional socket connections to a server, where both server and client can send the data at any time. It is available in HTML5 and JavaScript and is fully explained here. In this article, I will focus on WebSocket’s security issues and possible solutions to its vulnerabilities.
Use WebSocket Secure Protocol
A WebSocket connection is established after sending a regular HTTP request with the upgrade header (initial handshake). However, WebSocket is a separate protocol and its URL is usually prefixed with ws://. That is the original protocol that creates an unencrypted connection between client and server. For better security, use WebSocket secure protocol (WSS) that uses SSL/TLS to encrypt the connection and protects against eavesdropping and man-in-the-middle attacks. WebSocket secure protocol URLs are prefixed with wss://. Note that you don’t have to use HTTPS in order to use WSS, but it is recommended to do that anyway.
Implement an Authentication System
WebSocket protocol does not handle authentication or authorization, which means that you will have to implement an authentication solution through HTTP. The recommended solution is to use a token-based authentication system:
• Create a secure login which the user will use to login to his account
• After sending the credentials, the backend script will authenticate the user and generate an authentication token
• Token value should be random and long enough to prevent the attacker from guessing the token through a brute-force attack
• Along with the token, additional information such as user ID, user’s IP address, user’s web browser and operating system and the time when the token was created should be saved to the database
• Send the token back to the client
• Token is now sent to the server as part of WebSocket initial handshake
• Server checks the token and other authentication information
• If everything is valid, establish a secure WebSocket connection
This authentication system also prevents Cross-Site WebSocket Hijacking (an attack scenario where the user is tricked into visiting a malicious site that will establish a WebSocket connection with a legitimate backend server). That’s why it is recommended to check the request’s origin header and not recommended to use cookies for WebSocket authentication.
You can also see how to use Socket.io with authentication here.
Use a Firewall to Block Brute-Force and DoS Attacks
Since anyone could try to connect to a certain socket, WebSocket protocol is vulnerable to brute-force and denial of service attacks. A good solution to these types of attacks is to use a firewall to filter the incoming traffic. Since web servers usually use Linux operating system, you could use configure iptables to protect the WebSocket protocol by issuing the following commands:
$ sudo iptables -A INPUT -p tcp --syn --dport 9000 -m connlimit --connlimit-above 3 -j REJECT This would allow a maximum of 3 connections per IP address to port 9000. Also, you could limit the number of connections per IP address per second by using the following iptables shell script:
#!/bin/bash
IPT=/sbin/iptables
# Max connection in seconds
SECONDS=100
# Max connections per IP
BLOCKCOUNT=10
# default action can be DROP or REJECT
DACTION="DROP"
$IPT -A INPUT -p tcp --dport 9000 -i eth0 -m state --state NEW -m recent --set
$IPT -A INPUT -p tcp --dport 9000 -i eth0 -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} Data Validation
It should be always assumed that an attacker could send any type of data through the WebSocket connection. Having that in mind, you should validate all data, both on server and client side. Use tight validation rules. On server side, validate client input in order to prevent SQL injection and similar attacks. On client side, don’t use eval() function or assign data directly to DOM. Also, if the server’s response is in JSON format, use JSON.parse() to safely parse the data.
Avoid Tunneling
WebSocket protocol can be used to tunnel TCP services. This is very dangerous and could lead to a complete breach in case of a cross-site scripting attack. It is recommended to completely avoid tunneling in order to improve the security of your application.
Conclusion
WebSocket is a relatively new technology and might have additional vulnerabilities that have not been discovered yet. If you decide to use it in your application, consult a security professional.
