OWASP Global AppSec US 2021

While HTTP is the primary target of today’s web security research, the WebSockets protocol is extremely widespread. Since it was first created in 2010, WebSockets now appear in most web messaging platforms, finance websites, chat bots, real time mapping applications, and even the Kubernetes API. WebSocket servers are distinct from traditional web servers, but WebSocket servers have escaped the security scrutiny that traditional web servers have received.

Past security talks about WebSockets security have focused on the protocol itself or on proxy bypassing (smuggling). This talk will be the first to focus on WebSocket endpoints as targets, analyzing implementation-level differences in different open-source libraries. A new tool suite will be released to support future WebSockets research.

This talk will fill multiple gaps or roadblocks that have existed in the security research of WebSockets by providing 3 new open-source utilities to:

1. Discover WebSocket server endpoints (scanning 5,000+ URLs per second)
2. Fingerprint the WebSocket server (using identifiers discovered in the research being presented)
3. Detect vulnerable WebSocket servers using known exploit vectors