Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Enhancing Security in a now.js/socket.io chat

A chat with nowjs or socket.io is one of the easiest exercises you can perform with them. I want to implement a multi-room chat (with a non-fixed number of rooms and logged users), using nowjs' Group objects.

I've not worked with WebSockets directly, yet, and I want to know what security concerns are there. For example, how often do I have to check for authentication?

Is it possible for an attacker to "hijack" a socket.io connection and how can I prevent it?

What other security traps are there to be concerned?

like image 785
Lanbo Avatar asked Dec 23 '11 16:12

Lanbo


People also ask

What is Socket.IO chat?

Socket.io is a javascript library that helps us to build real time web applications like chats and multiplayer games, without having to deal with all the complexity of web sockets.


1 Answers

Man-in-the-middle is certainly a consideration. The biggest security issue, though, would be XSS.

This useful SO thread suggests:

  1. socket.io 0.8 has referrer verification built in
  2. if chat is from known origin, block superfluous connections at the firewall

This very informative article suggests:

  1. don't trust the client
  2. use SSL encryption
  3. check the origin
  4. prevent XSS (sanitize client input!)
  5. don't assume it's a browser

This useful thread says to set secure:true on socket.io.connect(...)

I'd recommend taking all those suggestions :)

like image 108
Kato Avatar answered Sep 28 '22 15:09

Kato