New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Session ID in URL Rewrite #3416
Comments
I have the same problem and same questions... |
I got the security report of "Session ID sent in URL Rewrite":
and recommendation:
Any help is appreciated. |
@kumangxxx @yangpu @gasnier did anyone look at https://www.npmjs.com/package/socketio-auth and did it help ? |
The last line of the recommendation is key. I think it's best practice you ensure cookie with sid is set alongside the sid in url rewrite. You can enable cookies according to this example: |
any news? |
To shed some light on this:
If the client is in HTTP long-polling mode, if you have access to the sid, you can indeed publish messages on behalf of the user. Reproducible example: const socket = require("socket.io-client")("http://localhost:3000", {
transports: ["polling"]
});
socket.on("connect", () => {
console.log(socket.io.engine.id); // prints something like "l9IoONULqVPQYa0DAAAA"
}); And then run:
You can't read messages though, as the connection will be closed (only one read request is accepted per connection):
If the client is connected with WebSocket, any HTTP request with the given sid will be denied:
We could indeed move the sid to the request headers for HTTP long-polling, but that wouldn't work for WebSocket, as the WebSocket browser API does not allow for custom headers. |
Closed due to inactivity, please reopen if needed. |
You want to:
Current behaviour
socket.io will add
?sid=
to the url when trying to connectSteps to reproduce (if the current behaviour is a bug)
Normal use of socket.io client for javascript
Expected behaviour
Can we move the sid to header ?
Other information (e.g. stacktraces, related issues, suggestions how to fix)
Context:
We ran penn test against our socket app using ZAProxy. One of the alert we got is this:
adding sid to url is problematic according to zaproxy.
my url is like this:
can someone explain the security risk if someone can get other people's sid ?
can it be used to listen/publish or get older messages ?
can we move the sid to Header ?
thanks
The text was updated successfully, but these errors were encountered: