Lucene search

K
hackeroneArnonymousH1:178990
HistoryOct 30, 2016 - 7:17 p.m.

Legal Robot: The websocket traffic is not secure enough

2016-10-3019:17:43
arnonymous
hackerone.com
4

‘Cross-Site WebSocket Hijacking’ is possible, because the websocket connection is not secure (enough).
The traffic from and to the websocket can be sniffed with Chrome (see attachment), and replayed elsewhere (cross-domain). Explanation: https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html

Steps:
After opening the homepage (https://app.legalrobot-uat.com) a websocket is created after a HTTP request like: https://app.legalrobot-uat.com/sockjs/689/k287_2tz/websocket, with a HTTP101 (switching protocols) response, resulting in a connection wss://app.legalrobot-uat.com/sockjs/689/k287_2tz/websocket.

This (upgrade) request can be called from an external origin.
{F131186}

After knowing the websocket URL, messages (captured in chrome) can be successfully sent.

For example:
Open a session: [“{"msg":"connect","version":"1","support":["1","pre2","pre1"]}”]
Ping: [“{"msg":"ping"}”]
Login: [“{"msg":"method","method":"login","params":[{"user":{"email":"[email protected]"},"password":{"digest":"082a7a2a81c2733fd03567e47e0b6d9f09d32ec80065bda9c5cd34dd1c4f9edf","algorithm":"sha-256"}}],"id":"7"}”]
It is also unnecessary, to include the password algorithm in the login message (which can be encrypted with: http://md5decrypt.net/en/Sha256/)

A successful test with above messages using: http://ironwasp.org/cswsh.html (an online test tool).
{F131189}

Suggestions to fix:

  • Check the origin from the requester server-side and adjust the Origin header for the ‘upgrade’ request.
  • Add additional ‘CSRF tokens’.
  • Encrypt messages, so they cannot be intercepted in Chrome

Additional references:
https://www.notsosecure.com/how-cross-site-websocket-hijacking-could-lead-to-full-session-compromise/
https://www.owasp.org/index.php/Testing_WebSockets_(OTG-CLIENT-010)
https://humblesoftwaredev.wordpress.com/2016/08/01/securing-websocket-sockjs-connection/