Menu
I'm currently considering CSRF vulnerabilities in websockets.
I've already blocked all cross-domain websocket requests, however there exist scripts (such as this python bad boy) to get around such security measures.
Is it worth including a token in the user's index.html, which must be included in the socket.io.connect() call as a query string? This way on the server we can check that the token is what we expected, and block the connection request otherwise.
Thanks for all the advice!
669
CSRF tokens prevent CSRF because without token, attacker cannot create a valid requests to the backend server. For the Synchronised Token Pattern, CSRF tokens should not be transmitted using cookies. The CSRF token can be transmitted to the client as part of a response payload, such as a HTML or JSON response.
You should strongly prefer the secure wss:// protocol over the insecure ws:// transport. Like HTTPS, WSS (WebSockets over SSL/TLS) is encrypted, thus protecting against man-in-the-middle attacks. A variety of attacks against WebSockets become impossible if the transport is secured.
A successful cross-site WebSocket hijacking attack will often enable an attacker to: Perform unauthorized actions masquerading as the victim user. As with regular CSRF, the attacker can send arbitrary messages to the server-side application.
In the case of GET requests, it prevents JavaScript to read the response data. This also applies in the case when page B is embedded as an <iframe> on the page A. Cross-Origin Resource Sharing (CORS) is not a CSRF prevention mechanism.
Why don't you setup an authorization handler for your socket.io connections? You can decline / accept connections in there based on information that has been gathered during the handshake.
See https://github.com/LearnBoost/socket.io/wiki/Authorizing for more detailed information about this.
137
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
