3

Hi I'm trying to understand how this handshake works and JWT. So I have something as web page where the some user can go and login itself. Then I create an JWT, so when I do request to the server I use this token to verify the user. I would like to create and websoket connection and use this token as well. so I did the server like this

var server = app.listen(3000, function(){
    console.log('Server listening on', 3000);
});
require('./websockets').connect(server);

In that file websockets.js I have

var _  = require('lodash')
var ws = require('ws')
var url = require('url')
var jwt = require('jwt-simple')
var config = require('./config')
var clients = [];

exports.connect = function(server){

    var wss = new ws.Server({server:server});
        wss.on('connection', function(ws){

            var location = url.parse(ws.upgradeReq.url, true);
            var token = location.query.token;

            console.log( ws.upgradeReq.headers );

            console.log( 'New connection.' );
            try {
                var user = jwt.decode( token, config.secret );
            }catch (err) {
                ws.close()
            }

            clients[token] = ws

            ws.on('message', function(data, flags) {

                console.log( ws.upgradeReq.headers );

                console.log( data )
            });

            ws.on('close', function(){
                _.remove(clients, token)
                if( user ){
                    console.log('User disconnect:' + user.username);
                }else{
                    console.log( 'Authentication failed.' );
                }
            })

    })

}

So the problem is that, If I login in the broswer and I copy that token which is in the headers. I can connect to the server with different terminal using wscat. So I was trying to understand how that handshake works and can this help me to prevetn this.

So my idea was to get this form the header MTMtMTQ0Mjk1OTI3NjY1NA==

 connection: 'Upgrade',
  upgrade: 'websocket',
  host: 'localhost:3000',
  'sec-websocket-version': '13',
  'sec-websocket-key': 'MTMtMTQ0Mjk1OTI3NjY1NA==',
  'sec-websocket-extensions': 'permessage-deflate; client_max_window_bits'

add it against the client and in each call form the client to check if that value is the same, but not sure if that the right way. I can't understand it very well so if some one can explain that woudl be great, or what I can use to prevent this hijacking if I don't have ssl connection.

Alex
  • 579
  • 5
  • 24
  • https://en.wikipedia.org/wiki/WebSocket - The `sec-websocket-key` is `intended to prevent a caching proxy from re-sending a previous WebSocket conversation,[24] and does not provide any authentication, privacy or integrity. `. How are you authenticating your WS connection? – SilverlightFox Sep 23 '15 at 14:38
  • First Thank you for your comment. The authenticating is happening on web where I make a request to the api, returns that JWT then I'm adding this token to the http headers so every other request has this token. In my app I have a middleware where I check if the token is valid. So I would like to have and web socket as well so I did attach one to my express server. So if someone wants to connect to the socket It would need a token, which is passed with the query. So is that the right way or I'm missing somehting? And the problem is that I can connect with that token from 10 different terminals. – Alex Sep 23 '15 at 17:03
  • Does your JWT get sent down the socket and is it authenticated on your back-end? – SilverlightFox Sep 24 '15 at 07:44
  • Yes, I think so, I do it like this `wscat -c ws://localhost:3000/?token=eyJ0eXAiOiJKV1QiLCJhbGciO.....`, this token is generated when longin myself on the web I just copy it and I'm using it to connect to the socket through my terminal. On connect I'm getting this one and decode if is not ok closing the connection. But that token it's always ok doesnt metter from how many terminals I'm gonna connect to the server with it. So I was thinking when I make 1st connection ot use `sec-websocket-key` against the token and if some one try the same token to prevent connection is that ok. – Alex Sep 24 '15 at 08:23
  • 1
    It shouldn't be a problem if a user can grab the token and use it themselves - they can only attack their own sessions. The Same Origin Policy will prevent another domain from grabbing the token used. – SilverlightFox Sep 24 '15 at 08:27
  • Thank you, again I think I will do that origin policy check as well. Do you know any good resource where I can learn more about the websocket auth and security I was searching in google but cant find any clear article. – Alex Sep 24 '15 at 09:27
  • 1
    Try this: https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html – SilverlightFox Sep 24 '15 at 09:29

0 Answers0