Scribd
Upload
29 views45 pages

BIG IP v12.1 Application Security Manager - Web Socket

The document discusses how the F5 BIG-IP Application Security Manager (ASM) can provide security for WebSocket traffic. It covers topics like enforcing the WebSocket handshake, detecting protocol violations, configuring WebSocket URLs, and viewing WebSocket messages in the request log.

Uploaded by

Lior Rotkovitch
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
29 views45 pages

BIG IP v12.1 Application Security Manager - Web Socket

The document discusses how the F5 BIG-IP Application Security Manager (ASM) can provide security for WebSocket traffic. It covers topics like enforcing the WebSocket handshake, detecting protocol violations, configuring WebSocket URLs, and viewing WebSocket messages in the request log.

Uploaded by

Lior Rotkovitch
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 45

BIG-IP v12.

1 Application Security Manager


WebSocket
V1.0 March, 2016

Created by ,
NPIE ASM

[email protected]

@rotkovitch
Index

• Intro to WebSocket
• ASM and WebSocket
• WebSocket violations
• WebSocket URL setting
• WebSocket in the request log
• WebSocket Learning and policy building
• Demo flow

© F5 Networks, Inc 2
Intro to WebSocket

http://www.websocket.org/echo.html

http://demo.kaazing.com/forex/

© F5 Networks, Inc 3
WebSocket intro

• WebSocket provide simple framing layer on top of HTTP


• Key Benefits :
• Two-way communication
• Connections that are persistent
• Full-duplex.
• Low HTTP and TCP overhead
• WebSocket protocol is RFC 6455

© F5 Networks, Inc 4
WebSocket intro – Handshake and frames exchange

GET /chat HTTP/1.1


Host: server.example.com
CLIENT Upgrade: Websocket SERVER
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Origin: http://example.com
Sec-WebSocket-Protocol: chat, superchat
Sec-WebSocket-Version: 13

HTTP/1.1 101 Switching Protocols


Upgrade: Websocket
Connection: Upgrade
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=
Sec-WebSocket-Protocol: chat

Websocket frame

Websocket frame

Websocket frame

Websocket close frame

Websocket close frame

© F5 Networks, Inc 5
WebSocket Demo
1

2
WS filter
http://www.websocket.org/echo.html

© F5 Networks, Inc 6
ASM & WebSocket

ASM is WebSocket aware


1. Can enforce the WebSocket handshake – RFC checks
2. Can enforce the payload of type :
• Plain text – signatures
• JSON – structure & signatures
• Binary - enforce length of frame size
And:
• Enforce fragmentation
• Allows WS and WSS

Note: must have WebSocket Profile on the Virtual IP

© F5 Networks, Inc 7
Enforcement Threat Prevented Mitigation

1 Handshake protocol correctness Server stack abuse. Enforce the mandatory headers and their well-formedness in request.
2 Cross-origin access Session riding/ CSRF Deny access to all requests coming from origins not in the
configured whitelist.
3 HTTP upgrade flood prevention Exhausting server socket Limit the RPS per WS/WSS URLs. We will use the same
resources limits as for all URLs in a VS, HTTP and WS alike.
4 Login enforcement Information leakage Enforce login session also for WS/WSS URLs.
Requires adding protocol (HTTP/S, WS/S) to the protected URLs
5 Attack signature detection XSS, SQL injection, command shell Look for parameter content attack signatures in each textual WS
injection and all other threats message. If found, close the WebSocket with a Close message.
signatures prevent Request log will show the sent message
6 Illegal encoding and meta Exploit server stack Perform the following checks per textual message: Check UTF-8
characters encoding (mandated by RFC, no other encoding is allowed). Check for
illegal meta-characters. Check for null character
7 Enforce message masking Cache poisoning Enforce message masking for client textual messages in order to
avoid cache poisoning.
8 Limit message and frame size and Buffer overflow Limit message size, frame size and enforce correctness of framing
correctness of framing
9 Enforce message structure in JSON Exploit server stack Apply JSON content profile per WS message with all possible
format Buffer overflow defenses including signatures and metacharacters.
10 Slow send/receive Exhaust server socket resources Limit the time for sending a message and time between messages.

© F5 Networks, Inc 8
WebSocket violations – Protocol compliance

© F5 Networks, Inc 9
WebSocket violations – Protocol compliance
Security ›› Application Security ›› Policy Building ›› Learning and Blocking Settings

© F5 Networks, Inc 10
WebSocket violations – Protocol compliance

• Bad WebSocket handshake request


• Failure in WebSocket framing protocol
• Mask not found in client frame
• Null character found in WebSocket text massage

© F5 Networks, Inc 11
WebSocket violations – Protocol compliance

• Bad WebSocket handshake request


• HTTP Version is 1.1
• “Upgrade” header appears once
• "Sec-WebSocket-Key“ has one occurrence and is base 64 encoded
• "Sec-WebSocket-Version“ has once occurrence and value of 13
• Evasion technique

© F5 Networks, Inc 12
WebSocket violations – Protocol compliance

• Failure in WebSocket framing protocol


• Continuing frame without start frame.
• Start frame without ending the previous message fragmentation (interleaving
fragmentation is not allowed!)
• Control frame with FIN flag off (i.e. attempt to fragment them).
• Control frame payload size is greater than 125.

© F5 Networks, Inc 13
WebSocket violations – Protocol compliance

• Mask not found in client frame


• Each frame should have a bit mask according to the RFC.
• Enforce the continuity of the frames by verifying the bit mask exists
• Client side

• Null character found in WebSocket text massage


• Null character inside message payload of type JSON and Text will be
enforce.
• Indifferent to “check message payload”

© F5 Networks, Inc 14
WebSocket URL Entities

Security ›› Application Security ›› Policy


Building ›› Learning and Blocking Settings

Policy Type Learn New WebSocket URL’s

Fundamental Never
Enhance Selective
Comprehensive Add all entities

© F5 Networks, Inc 15
WebSocket Violations - Payload

1. Binary content found in text only WebSocket


2. Illegal WebSocket binary message length
3. Illegal WebSocket extension
4. Illegal WebSocket frame length
5. Illegal number of frame per message
6. Text content found in binary only WebSocket

© F5 Networks, Inc 16
WebSocket Violations - Payload

• Binary content found in text only WebSocket


• The WebScoket payload is defined as text but the
payload contains binary payload.

© F5 Networks, Inc 17
WebSocket Violations - Payload

• Illegal WebSocket binary message length


• Binary message size enforce of 10000 bytes (default)

© F5 Networks, Inc 18
WebSocket Violations - Payload

• Illegal WebSocket extension


• Protocol extensions: Per-message compression, Interleaved
message fragmentation, etc
• ASM can do the following for WebScoket extension :
o Remove headers – remove the extension header (default)
o Ignore – ignore the extension header (let then pass)
o Block – block request with WebSocket extension

© F5 Networks, Inc 19
WebSocket Violations - Payload

• Illegal WebSocket frame length

© F5 Networks, Inc 20
WebSocket Violations - Payload

• Illegal number of frames per message

© F5 Networks, Inc 21
WebSocket Violations - Payload

• Text content found in binary only WebSocket

© F5 Networks, Inc 22
WebSocket URL configuration

© F5 Networks, Inc 23
WebSocket URL configuration

© F5 Networks, Inc 24
WebSocket URL configuration

© F5 Networks, Inc 25
Reviewing WebSocket message in the request log

© F5 Networks, Inc 26
Reviewing WebSocket message in the request log
Security ›› Event Logs ›› Application ›› Requests

© F5 Networks, Inc 27
WebSocket - Request log filtering

Security ›› Event Logs ›› Application ›› Requests

© F5 Networks, Inc 28
WebSocket - Request log filtering

© F5 Networks, Inc 29
WebSocket Handshake

© F5 Networks, Inc 30
WebSocket Handshake

© F5 Networks, Inc 31
WebSocket - Ping Pong

© F5 Networks, Inc 32
WebSocket - Close

© F5 Networks, Inc 33
WebSocket Demo

© F5 Networks, Inc 34
Leaning page for WebSocket

© F5 Networks, Inc 35
WebSocket URL

© F5 Networks, Inc 36
Leaning page for WebSocket

© F5 Networks, Inc 37
WebSocket URL

“Sec-WebSocket-Extensions”

© F5 Networks, Inc 38
WebSocket URL

© F5 Networks, Inc 39
Policy builder classification

© F5 Networks, Inc 40
JSON facts

© F5 Networks, Inc 41
Attack signatures on Web Socket

© F5 Networks, Inc 42
Web Sokcet Learning and attack signature

© F5 Networks, Inc 43
Override attack signature – false positive

© F5 Networks, Inc 44
Summary

• ASM support WebSocket protocol


• Enforce protocol compliance
• Enforce payload –
• Plane Text – attack signature , null
• JSON – structure and attack signature
• Binary – length

• New violations and setting for Web Scoket


• Policy builder can learn the URL and classify the WebSocket payload types.
• Request log display the communication between client and server

© F5 Networks, Inc 45

You might also like