Web Socket ASM support lior rotkovitch

BIG-IP v12.1 Application Security Manager
WebSocket
Created by ,
NPIE ASM
lior@f5.com
V1.0 March, 2016
@rotkovitch

© F5 Networks, Inc 2
• Intro to WebSocket
• ASM and WebSocket
• WebSocket violations
• WebSocket URL setting
• WebSocket in the request log
• WebSocket Learning and policy building
• Demo flow
Index

Intro to WebSocket
http://demo.kaazing.com/forex/
http://www.websocket.org/echo.html

• WebSocket provide simple framing layer on top of HTTP
• Key Benefits :
• Two-way communication
• Connections that are persistent
• Full-duplex.
• Low HTTP and TCP overhead
• WebSocket protocol is RFC 6455
WebSocket intro

WebSocket intro – Handshake and frames exchange
CLIENT SERVER
GET /chat HTTP/1.1
Host: server.example.com
Upgrade: Websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Origin: http://example.com
Sec-WebSocket-Protocol: chat, superchat
Sec-WebSocket-Version: 13
HTTP/1.1 101 Switching Protocols
Upgrade: Websocket
Connection: Upgrade
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=
Sec-WebSocket-Protocol: chat
Websocket frame
Websocket frame
Websocket frame
Websocket close frame
Websocket close frame

WebSocket Demo
1
2
WS filter
http://www.websocket.org/echo.html

ASM is WebSocket aware
1. Can enforce the WebSocket handshake – RFC checks
2. Can enforce the payload of type :
• Plain text – signatures
• JSON – structure & signatures
• Binary - enforce length of frame size
And:
• Enforce fragmentation
• Allows WS and WSS
Note: must have WebSocket Profile on the Virtual IP
ASM & WebSocket

Enforcement Threat Prevented Mitigation
1 Handshake protocol correctness Server stack abuse. Enforce the mandatory headers and their well-formedness in request.
2 Cross-origin access Session riding/ CSRF Deny access to all requests coming from origins not in the
configured whitelist.
3 HTTP upgrade flood prevention Exhausting server socket
resources
Limit the RPS per WS/WSS URLs. We will use the same
limits as for all URLs in a VS, HTTP and WS alike.
4 Login enforcement Information leakage Enforce login session also for WS/WSS URLs.
Requires adding protocol (HTTP/S, WS/S) to the protected URLs
5 Attack signature detection XSS, SQL injection, command shell
injection and all other threats
signatures prevent
Look for parameter content attack signatures in each textual WS
message. If found, close the WebSocket with a Close message.
Request log will show the sent message
6 Illegal encoding and meta
characters
Exploit server stack Perform the following checks per textual message: Check UTF-8
encoding (mandated by RFC, no other encoding is allowed). Check for
illegal meta-characters. Check for null character
7 Enforce message masking Cache poisoning Enforce message masking for client textual messages in order to
avoid cache poisoning.
8 Limit message and frame size and
correctness of framing
Buffer overflow Limit message size, frame size and enforce correctness of framing
9 Enforce message structure in JSON
format
Exploit server stack
Buffer overflow
Apply JSON content profile per WS message with all possible
defenses including signatures and metacharacters.
10 Slow send/receive Exhaust server socket resources Limit the time for sending a message and time between messages.

WebSocket violations – Protocol compliance

Security ›› Application Security ›› Policy Building ›› Learning and Blocking Settings

• Bad WebSocket handshake request
• Failure in WebSocket framing protocol
• Mask not found in client frame
• Null character found in WebSocket text massage

• Bad WebSocket handshake request
• HTTP Version is 1.1
• “Upgrade” header appears once
• "Sec-WebSocket-Key“ has one occurrence and is base 64 encoded
• "Sec-WebSocket-Version“ has once occurrence and value of 13
• Evasion technique

• Failure in WebSocket framing protocol
• Continuing frame without start frame.
• Start frame without ending the previous message fragmentation (interleaving
fragmentation is not allowed!)
• Control frame with FIN flag off (i.e. attempt to fragment them).
• Control frame payload size is greater than 125.

• Mask not found in client frame
• Each frame should have a bit mask according to the RFC.
• Enforce the continuity of the frames by verifying the bit mask exists
• Client side
• Null character found in WebSocket text massage
• Null character inside message payload of type JSON and Text will be
enforce.
• Indifferent to “check message payload”

WebSocket URL Entities
Security ›› Application Security ›› Policy
Building ›› Learning and Blocking Settings
Policy Type Learn New WebSocket URL’s
Fundamental Never
Enhance Selective
Comprehensive Add all entities

1. Binary content found in text only WebSocket
2. Illegal WebSocket binary message length
3. Illegal WebSocket extension
4. Illegal WebSocket frame length
5. Illegal number of frame per message
6. Text content found in binary only WebSocket
WebSocket Violations - Payload

• Binary content found in text only WebSocket
• The WebScoket payload is defined as text but the
payload contains binary payload.

• Illegal WebSocket binary message length
• Binary message size enforce of 10000 bytes (default)

• Illegal WebSocket extension
• Protocol extensions: Per-message compression, Interleaved
message fragmentation, etc
• ASM can do the following for WebScoket extension :
o Remove headers – remove the extension header (default)
o Ignore – ignore the extension header (let then pass)
o Block – block request with WebSocket extension

• Illegal WebSocket frame length

• Illegal number of frames per message

• Text content found in binary only WebSocket

WebSocket URL configuration

Reviewing WebSocket message in the request log

Reviewing WebSocket message in the request log
Security ›› Event Logs ›› Application ›› Requests
1
2
3

WebSocket - Request log filtering
Security ›› Event Logs ›› Application ›› Requests

WebSocket - Request log filtering

WebSocket Handshake

WebSocket - Ping Pong

WebSocket - Close

WebSocket Demo

Leaning page for WebSocket

WebSocket URL

Leaning page for WebSocket

“Sec-WebSocket-Extensions”
WebSocket URL

WebSocket URL

Policy builder classification

JSON facts

Attack signatures on Web Socket

Web Sokcet Learning and attack signature

Override attack signature – false positive

• ASM support WebSocket protocol
• Enforce protocol compliance
• Enforce payload –
• Plane Text – attack signature , null
• JSON – structure and attack signature
• Binary – length
• New violations and setting for Web Scoket
• Policy builder can learn the URL and classify the WebSocket payload types.
• Request log display the communication between client and server
Summary

Web Socket ASM support lior rotkovitch

More Related Content

What's hot (20)

Similar to Web Socket ASM support lior rotkovitch (20)

More from Lior Rotkovitch (17)

Recently uploaded (20)

Web Socket ASM support lior rotkovitch