What are WebSockets and How do Hackers Exploit Them? How does Feroot Security Inspector Protect Customers?

16 September 2021

Today, we released an important update to our Feroot Security Inspector solution. We’re super excited to now include WebSockets protection in our broad repertoire of client-side security benefits. 

Inspector is now able to detect “if, when, and where” a threat actor is exploiting vulnerabilities in the WebSockets protocol to exfiltrate data. Our customers are now able to:

  • See unauthorized data transfer and take action if threat actors are using WebSockets to steal data by reviewing the Inspector Access Insights Report or by responding to automated alerts. 
  • Review contextual information on the actual data being transferred via Websockets, including specific “frames” or “messages” that were “caught” while the data exfiltration was taking place. 
  • Completely stop WebSocket-based attacks in real-time. With this additional detection capability, Feroot Inspector is effectively closing out threat actors’ ability to hide their attacks within the WebSocket protocol.

Why is this an important feature to add to your client-side security repertoire? Well, let me first explain everything you need to know about WebSockets and how cyber threat actors might use them to breach your networks or steal customer data from your client-side websites and web applications. I’ll also walk you through WebSocket vulnerabilities and attacks, and what WebSocket security measures you can deploy to protect your business.

What is a WebSocket?

Simply put, a Websocket is a computer communication protocol that creates a continuous connection between the client and the server. WebSockets open up bidirectional communication channels that operate over HTTP through one TCP/IP WebSocket connection. WebSockets essentially allow your client-side web applications to send and receive messages directly with your server-side applications. 

Are WebSockets Secure?

Generally speaking, WebSockets are secure. However, they can’t prevent man-in-the-middle attacks. Feroot Security and our customers have seen an increase in client-side cyber attacks where the attacker is taking advantage of WebSocket vulnerabilities to breach networks and collect private information entered on the client-side while it is travelling to the server-side. 

What are the Main WebSocket Attacks? 

There are dozens of WebSocket attacks threat actors use to steal data or breach networks. The following attacks are the main ones Feroot Security has observed being used by threat actors in the wild.

WebSocket Authorization/Authentication Attacks

WebSockets don’t manage authorization and authentication. Application-level protocols should handle this separately, especially when sensitive data is being transferred. The WebSocket protocol also doesn’t let servers authenticate the client during the handshake process. So, threat actors hunt for mismanaged authorization and authentication in order to circumvent a business’s security controls and start stealing data. 

Sniffing and Skimming Attacks

WebSockets trade data in plain text, in the same way as HTTP does. This makes the data extremely easy for threat actors to steal using packet sniffers. Packet sniffers are essentially a specific form of e-skimming attack. Detecting WebSocket vulnerabilities in web applications and pages is a tedious manual task. Application developers and cybersecurity professionals need to ensure that they are using the WebSocket Secure (wss://) protocol to ensure that data is being encrypted using transport layer security (TLS). 

Tunneling and Cross-site Scripting Attacks

Anybody can use WebSockets to tunnel into a TCP service. Cross-site scripting (XSS) is a popular client-side attack that frequently evolves into a tunneling attack. Threat actors love to deploy cross-site scripting attacks, during which they inject malicious scripts into websites. By sending malicious scripts from web applications to different users, threat actors can create database connections directly through the browser. The net outcome is that they have direct access to data and can start collecting it and using it at will. 

DoS Attacks

Depending on how a business uses Websockets and how they are deployed, WebSockets can allow an unlimited number of connections to run between the client-side and the server-side. If a threat actor manages to get a hold over WebSockets, they can easily run a DoS attack, flooding servers to exhaust computing resources and slow down web applications and pages. The net outcome is that your customers either can’t do business with you, or can only do business with you slowly. Website and web application speed is extremely important. If doing business with you becomes a slow chore, customers will jump very quickly to your competitors. 

WebSockets are pretty versatile in their use. But they are risky. Once a connection is established, it never closes and messages can be sent and received indefinitely. Application developers and security teams need to understand these types of attacks and keep a close eye on their WebSocket implementation. They also need to follow a few simple WebSocket security approaches. 

What WebSocket Security Measures Exist?

WebSocket security measures might be a bit of a misnomer. They rather should be categorized as a specific type of application security or cybersecurity hygiene. Here are the main ones to implement and continuously nurture:

  • Always use WebSockets over TLS (wss://).
  • Make sure to check the origin header during the handshake process and use the Access-Control-Allow-Origin header on the server side.
  • Protect the handshake against CSRF attacks using Nonce/CSRF tokens.
  • Consistently deploy and enforce authentication best-practices for WebSockets.
  • Make sure to deploy data model input validation of messages in both directions from the client to server, and from server to client.
  • Always encode the output of messages when embedded in the web application.
  • … ahem… deploy Feroot Security Inspector to monitor for malicious hosts in third-party code that use WebSocket connections, monitor for data exfiltration happening via WebSockets, and receive alerts and context to repair WebSocket issues. 

Really, it all comes down to following the Zero Trust approach when using WebSockets. Do not blindly trust incoming data, always validate it. 

Next Steps

Implementing effective client-side security is crucial to ensure the safety of your customer data and your business. Having the proper security measures in place to protect your WebSockets is just one small piece of the puzzle. Staying 100% aware of your client-side attack surface, that is, the attack surface outside of the traditional security perimeter, is paramount. When building a client-side security program, it is critical to understand WebSockets, how they might open you up to data exfiltration, and what you can do to secure them. I would like to encourage you to check out our Inspector and PageGuard products. They can definitely help you manage Websocket security and the broad spectrum of client-side attacks.

Free Assessment

Security for Everyone that Visits Your Website

Find out if your web application is hiding vulnerable, malicious, or dangerous code that could damage your customers and your business. No payment information required.