WSSiP: A WebSocket Manipulation Proxy

Written by: Samantha Chalker


WSSiP is a tool for viewing, interacting with, and manipulating WebSocket messages between a browser and web server.

WebSockets themselves are a newer option for client-side JavaScript code that allows browsers to connect to the web server in order to signify that the connection should be a TCP connection. As defined by IETF RFC 6455, the goal of WebSockets is to “provide a mechanism for browser-based applications that need two-way communication with servers that does not rely on opening multiple HTTP connections (e.g., using XMLHttpRequest or <iframe>s and long polling).” The final draft of the specification was published in December 2011. Data is dispatched in “messages” that can either be sent via regular ASCII text or in raw binary.

All modern browsers have full support for WebSockets. As WebSocket use is expected to become more common in the near future, better tools for testing are needed. A tool that can help debug and fuzz without relying on complicated and time-consuming methods would be especially useful. For example, Burp Suite only displays the history of all WebSocket messages in one tab and can intercept messages, but you cannot send your own. Other intercepting proxies either are a bit complicated to use, just starting to implement this feature, or do not implement WebSocket debugging at all. Some of NCC Group’s consultants have had to manually fiddle with browser developer tools in order to send messages and test, which made testing clients’ software more time-consuming.

WSSiP aims to solve that problem. This tool complements other intercepting proxies by providing a user interface to capture, intercept, and send messages and view all communications between client and server. It includes support for an upstream proxy, allowing it to be part of a multi-proxy chain between browser and web server, concentrating on WebSockets while leaving more typical HTTP interception to other tools such as Burp Suite or Pappy Proxy.

WSSiP is programmed in and runs on Node.js 7.0+. It uses Electron for the application interface, and React & Material UI for the user interface inside the application.

Installing

WSSiP can be launched one of three ways. The first is to download and run a pre-compiled binary for either Windows, Mac OS X or Linux. Those can be found on the GitHub Release page.

The second is to install via npm:

npm install -g wssip

Installing WSSiP via npm allows the wssip command to be run in the command line to open up the application.

The third is to download the source from GitHub and follow the instructions in the README.

Example

For an example of how WSSiP works, we’re going to use the example chat from Socket.io. First, we launch WSSiP:

And then using Autochrome, we navigate to http://localhost:3000 where the Socket.io Chat example is hosted and enter in the name “Person1”:

Looking back at WSSiP, which is being connected to by Autochrome, a new connection is added under our Active Connections tab:

Clicking on the connection will open up the History, Custom, and Intercept tabs for the WebSocket connection. Here you can select an individual message to view the contents of what was sent, in what direction, etc.:

Now, let’s open up a vanilla Chrome instance and open up the Socket.io chat example hosted on localhost:3000, the same one that Person1 is using, and enter in “Person2” as a name.

Back to our Autochrome instance; some test data:

Because we want to interact with the test chat from our client, we’ll mimic the “send message to room” data that Socket.io was sending to the server:

While the “HELLO FROM WSSIP” message doesn’t quite appear in our Autochrome instance, the vanilla Chrome user will immediately see:

Finally, when we close our Autochrome connection and, thus, the WebSocket connection, is it closed? The WebSocket connection is simply moved to the “Inactive Connections” tab where we can still review the message history:

Conclusion

WSSiP represents a great asset to debugging and fuzzing WebSocket connections. As this tool is used in more assessments, there may be unexpected bugs that arise from using WSSiP, and I encourage you to file a bug report in the Issues section of the WSSiP GitHub repository. Additionally, features such as saving to and loading from a file for existing connections and their message history are still a work in progress and will come in a future version.


For more information on the WebSocket RFC specification, see RFC 6455.


Originally published at www.nccgroup.trust.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.