![Page 1: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/1.jpg)
M IN ING
@TIMMEDIN
![Page 2: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/2.jpg)
@TIMMEDIN
T I M M E D I N
Founder, Red Siege Information Security
Red Team, Penetration Testing > 10 years
Kerberoast Inventor
Principal SANS Instructor
DerbyCon, ShmooCon, nullSingapore, …
![Page 3: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/3.jpg)
@TIMMEDIN
W H AT I S M E T E O R ?
Open-source javascript framework
Uses Node.js
Real-time framework
![Page 4: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/4.jpg)
@TIMMEDIN
M E T E O R M AT T E R S
#1 rated web app framework on GitHub
![Page 5: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/5.jpg)
@TIMMEDIN
D E V E L O P E R H A P P I N E S S
Does not come with whiskey!
![Page 6: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/6.jpg)
@TIMMEDIN
W H AT A R E W E B S O C K E T S
RFC 6455 in 2011
Provides full-duplex communications over a TCP connection
Also provides bidirectional communications
If the connection starts HTTP or HTTPS the switch to WebSocket is an upgrade HTTP 101 to WS:// or WSS://
Currently supported by most browsers and servers
The application must also support it
![Page 7: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/7.jpg)
@TIMMEDIN
W H AT A R E W E B S O C K E T S
Designed for performance and convenience
Little security was built into the protocol
No authentication beyond upgrade request is performed
HTTP cookie is passed over during the handshake
Same Origin Policy is not enforced
![Page 8: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/8.jpg)
@TIMMEDIN
H A C K I N G W E B S O C K E T S
Lack of tools, automated scanners miss it
Manual tools:
• Burp can proxy WebSocket traffic
• OWASP ZAP can proxy and fuzz WebSocket traffic
• Chrome offers a WebSocket client and developer tools (F12)
![Page 9: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/9.jpg)
@TIMMEDIN
M E T E O R C O D E
JavaScript (or CoffeeScript)
Same language on the front and back end
Client-side rendering
No matching server generated HTML with client JavaScript!
![Page 10: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/10.jpg)
@TIMMEDIN
M O N G O D ATA B A S E
NoSQL format
Protections against traditional SQLi injection
![Page 11: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/11.jpg)
@TIMMEDIN
M A N A G I N G D ATA W I T H D D P
Protocol based on JSON
Based on WebSockets and SockJS
Handles Remote Procedure Calls (RPC)
Manages Data
![Page 12: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/12.jpg)
@TIMMEDIN
D D P M E S S A G E S
ref: https://meteorhacks.com/introduction-to-ddp/
1.{"msg":"method", "method": "transferMoney", "params": ["1000USD", "arunoda", "sacha"], id": "randomId-1"} 2.{"msg": "result", id": "randomId-1": "result": "5000USD"} 3.{"msg": "updated", "methods": ["randomId-1"]}
![Page 13: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/13.jpg)
@TIMMEDIN
S U B S & P U B S
Client – Data requested via subscription
Server – Pushes data via a publication
Client subscriptions map to user publications
Pub/sub can use additional params
![Page 14: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/14.jpg)
@TIMMEDIN
M I T I G AT I N G AT TA C K S
XSS – Output data is escaped by default
Mongo – No Traditional SQLi
CSRF – Server requests via specialized calls (normally)
![Page 15: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/15.jpg)
@TIMMEDIN
S U B S & P U B S
Subscription Meteor.subscribe('myAccount', myAccountId);
Publication Meteor.publish('myAccount', function(myId){ return Accounts.find({ _id: myId }); });
![Page 16: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/16.jpg)
@TIMMEDIN
S U B S & P U B S
The same data can be pushed by multiple publications
The publication can push too much data
• Too many fields
• Too many records
Look at the JavaScript console
![Page 17: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/17.jpg)
@TIMMEDIN
M E T E O R < 1 . 4
Everything loaded into the global namespace
> 1.4, likely migrated from older code, may be in global namespace
![Page 18: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/18.jpg)
@TIMMEDIN
C L I E N T- S I D E L E A K A G E
The rendering and routing is done on the client
The client has to know what to load
The client has to know what data to request
![Page 19: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/19.jpg)
@TIMMEDIN
C O L L E C T I O N N A M E S
Meteor.connection._mongo_livedata_collections
![Page 20: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/20.jpg)
@TIMMEDIN
C O L L E C T I O N N A M E S
cols = []; for (var globalObject in window) { if (window[globalObject] instanceof Meteor.Collection) { cols.push(window[globalObject]); } } return cols;
pretty
![Page 21: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/21.jpg)
@TIMMEDIN
C O L L E C T I O N D ATA
CollectionName.find().fetch()
Fields may be different for each record, we might find a leak
![Page 22: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/22.jpg)
@TIMMEDIN
E X T R A C T I N G S U B S C R I P T I O N S
Meteor.connection._subscriptions
![Page 23: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/23.jpg)
@TIMMEDIN
E X T R A C T I N G R O U T E S
Router.routes
![Page 24: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/24.jpg)
@TIMMEDIN
AT TA C K A U T O M AT I O N
Chrome Web Extension – DOM is accessible but JavaScript variables are not
Firefox Web Extensions – Based on Chrome’s Web Extensions…no go
Firefox Add-on – Variables are accessible, but dev environment is horrific
IE – LOL
![Page 25: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/25.jpg)
@TIMMEDIN
TA M P E R M O N K E Y
Allows access to page (and JavaScript variables) via unsafeWindow
Access Meteor variables with unsafeWindow.Meteor
![Page 26: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/26.jpg)
@TIMMEDIN
M E T E O R M I N E R D E M O
Demo goes here
Drink `em if you got `em, it appeases the demo gods
![Page 27: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/27.jpg)
![Page 28: MINING · 2020-04-22 · @TIMMEDIN WHAT ARE WEBSOCKETS RFC 6455 in 2011 Provides full-duplex communications over a TCP connection Also provides bidirectional communications If the](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfd8f2d65c4865493561ca/html5/thumbnails/28.jpg)
Tim Medin [email protected] @TimMedin
Offensive Services from Offensive Minds
Code https://github.com/nidem/MeteorMiner https://github.com/nidem/MeteorTodosGoat
Presentation http://bit.ly/2i3bP7v