OWASP Global AppSec US 2021 has ended
Back To Schedule
Thursday, November 11 • 10:00am - 11:00am
We’re not in HTTP anymore: Investigating WebSocket Server Security

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
While HTTP is the primary target of today’s web security research, the WebSockets protocol is extremely widespread. Since it was first created in 2010, WebSockets now appear in most web messaging platforms, finance websites, chat bots, real time mapping applications, and even the Kubernetes API. WebSocket servers are distinct from traditional web servers, but WebSocket servers have escaped the security scrutiny that traditional web servers have received.

Past security talks about WebSockets security have focused on the protocol itself or on proxy bypassing (smuggling). This talk will be the first to focus on WebSocket endpoints as targets, analyzing implementation-level differences in different open-source libraries. A new tool suite will be released to support future WebSockets research.

This talk will fill multiple gaps or roadblocks that have existed in the security research of WebSockets by providing 3 new open-source utilities to:

1. Discover WebSocket server endpoints (scanning 5,000+ URLs per second)
2. Fingerprint the WebSocket server (using identifiers discovered in the research being presented)
3. Detect vulnerable WebSocket servers using known exploit vectors

avatar for Erik Elbieh

Erik Elbieh

Security Researcher and Consultant, Palindrome Technologies
Erik Elbieh (OSCP) is a Security Researcher and Consultant at Palindrome Technologies, where he works on the latest in secure telecom solutions and cutting-edge technologies. Erik enjoys penetration testing nearly anything, from web apps to IoT gadgets to cloud environments, and he... Read More →

Thursday November 11, 2021 10:00am - 11:00am PST