Security BSides Las Vegas – which will be held on July 31st & August 1st – is fast approaching, and we are continuing our series highlighting some of the fantastic presentations that are slated for the event.
First up in our coverage was a session from security researcher D0n Quix0te (@OMENScan) titledThe Little Dutch Boy, about the development of a free Windows web server tool called OMENSwhich monitors, detects, and blocks many attacks that traditional Network Monitoring tools often miss.
Next in line is a session called Fun with WebSockets Using Socket Puppet by New Jersey based web developer Yair Silbermintz (@MisterGlass).
Silbermintz, who studied computer science at Yeshiva University and has a GWAPT certification, spends most of his time building websites in PHP, Python, HTML5, CSS3, and JavaScript, but he also has a strong interest in security issues and makes an effort to keep up with the latest security research.
WebSockets are an HTML5 solution utilized for low latency communications, and developers are starting to use them for chat, games, videoconferencing, and other applications. Silbermintz says that while support is stable in major browsers, WebSockets tend to be quite difficult for pen testers to mess with.
“Tools are starting to catch up – Wireshark, Fiddler and Chrome will let you view WebSocket traffic, but there is no simple system currently available to tamper with these messages,” Silbermintz said in his session abstract. “This summer I plan to release Socket Puppet, a Chrome extension designed to fill this need.”
Silbermintz’ talk will be in four main sections, including:
- An intro to WebSockets with a short overview of low latency communication in the browser, current implementations, etc.
- An explanation on how Socket Puppet works, looking at the important bits that let the tool intercept messages, including how to overload native JavaScript from an extension – a powerful technique which can be adapted to make other tools
- How to use Socket Puppet – with a walk-through of features including logging sessions, interrupting messages to tamper on the fly, and data filters; and
- Future plans covering possible expansions of the plugin such as automated testing and support for other communication methods, as well as soliciting ideas and code contributions from the security community
Silbermintz said he chose to release the tool at BSidesLV because it is at its heart a pentesting tool, and he wants to present it first to the a professional infosec audience like those he has seen at the BSides conferences he has attended in the past.
“I am also often disappointed at how little code gets shown at infosec conferences, and I think they would benefit from a segment on JavaScript coding,” Silbermintz said.
Socket Puppet was developed after Silbermintz had a bug in a WebSocket app he made that caused his server to completely crash. “I fixed it quickly, but noticed that there weren’t any debugging or security tools that worked with WebSockets,” he said in an email interview. “I see a lot of buzz about sockets in the webdev scene, so I figured it would be a hot topic to cover.”
Socket Puppet is a powerful tool for both pentesters and developers looking to debug apps Silbermintz explained, and the talk is going to be focused more toward that audience, particularly those in the web app pentesting field.
“I want to draw attention to WebSockets and hopefully generate more work focused on targeting them. They are a new and mostly untested attack surface, and I really want to inspire more people to work on hacking them,” Silbermintz said.
“I’m lowering the bar a lot on executing attacks against WebSockets, but in the end of the day my tool is just a helper for stuff people can do themselves right now in a developer console.”
Silbermintz says that while there aren’t many “big places” using WebSockets yet, the chatter he is hearing more and more about them from developers seems to indicate that they will be growing soon, and that there is gonna come a day where developers start using them all over without properly securing them.
“It almost feels like when developers first made mashups using twitter data several years ago. Developers made some cool stuff for a little while, but were very amateurish about their security, and six months in large databases of plaintext passwords were being dropped every day,” Silbermintz said.
“Pretty soon people and Twitter caught on and started securing things, and now they have things fairly secure, but for a while things were bad. My hope is that, by releasing this tool and drawing attention to this attack surface, we can bring attention to WebSocket security much earlier in its infancy.”
Tags: application security, BSidesLV, developers, penetration testing, secure coding, Security BSides, Socket Puppet, tools, training, WebSocket, Yair Silbermintz
Categories: Cyber Security
THIS POST WAS WRITTEN BY…
Anthony M Freed has contributed 48 posts to The State of Security.
Twitter @AnthonyMFreed
Google+ Anthony M Freed
Anthony M. Freed is Tripwire’s Community Engagement & Social Media Coordinator, and has a passion for translating security techno-babble into the language of enterprise risk abatement for the business class. Prior to joining the Tripwire team, Anthony was an infosec journalist and editor who authored numerous feature articles, interviews, and investigative reports which were sourced and cited by dozens of major media outlets. Born and bred in the greater Portland area, Anthony is an avid outdoorsman, foodie and music aficionado.