Skip to content

Instantly share code, notes, and snippets.

@srquinn21

srquinn21/README.markdown

Last active August 28, 2020 02:04
Show Gist options
  • Save srquinn21/3432e6c793a4277dfd830f40d9ee425d to your computer and use it in GitHub Desktop.
Save srquinn21/3432e6c793a4277dfd830f40d9ee425d to your computer and use it in GitHub Desktop.
Download ZIP
Cross Site WebSocket Hijacking Nginx Config
Raw
README.markdown

Notes

While researching possible Websocket vulnerabilities, I came across the "Cross Site WebSocket Hijacking" attack as documented here:

http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html
https://www.notsosecure.com/how-cross-site-websocket-hijacking-could-lead-to-full-session-compromise/

TL;DR: Websockets, by spec, do not respect the browser's Same Origin Policy enforced for CORs and XHR requests. This means that a connection made in one browser tab can be hijacked in another browser tab similar to a typical XSS attack. In order to protect our services, we need to make sure that the Origin header matches the application's server name.

I've provided a nginx.conf file below that demonstrates how to check the Origin header. In addition to this config update, you'll also want to be sure to use a session token during your websocket handshake that is verified on the server for each connection. I suggest looking into JSON Web Tokens (JWT)

Raw
nginx.conf
# DENY all requests by default (PoLP)
set $websocket_same_origin_policy "DENY";
# ALLOW non-browser clients
if ($http_origin = "") {
set $websocket_same_origin_policy "ALLOW";
}
# ALLOW browsers with matching Origin header and ServerName
# (only browsers reliably set a truthful Origin header)
if ($http_origin = $scheme://$server_name) {
set $websocket_same_origin_policy "ALLOW";
}
location /ws {
# DENY any request that violates the Same Origin Policy
if ($websocket_same_origin_policy != "ALLOW") {
return 403;
}
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://localhost:3030;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment