Download - Ijaws2014 - websockets, elb and security
PROXY protocol (30/07/2013)
1) Read ELB doc for enable with ‘aws elb’
PROXY PROTOCOL (TCP4 or TCP6)remoteAddress (1.1.1.1)proxyAddress (2.2.2.2)remotePort (34567)proxyPort (80)\r\n
2) Use a library in your API to retrieve this information
Note: socket.io engine “polling” requires “Sticky Session”
Proof of concept
$ cat proxy.txt
PROXY TCP4 ijaws2014 ec2ip 80 80\r\nGET /x/ HTTP/1.1\r\nUser-Agent: curl/7.35.0\r\nHost: ec2ip\r\nAccept: */*\r\n\r\n\r\n$ cat proxy.txt | nc ec2ip 80
OWASP Top 10 (2013)
A01 - InjectionA02 - Broken Authentication and Session ManagementA03 - Cross-Site Scripting (XSS)A04 - Insecure Direct Object ReferencesA05 - Security MisconfigurationA06 - Sensitive Data ExposureA07 - Missing Function Level Access ControlA08 - Cross-Site Request Forgery (CSRF)A09 - Using Components with Known VulnerabilitiesA10 - Unvalidated Redirects and Forwards