This year is full of extraordinary events and cybersecurity domains are not an exception. Massive WebSocket vulnerabilities are not so often discovered, we can say they are piece. But here is a new one, named CVE-2020-24807 was mentioned in a advisory 6 days ago:

This file type restriction bypass vulnerability is technically an arbitrary file upload that might cause RCE (Remote Code Execution) exploitation affects socket-io-file packages version <= 2.0.31. The official NPM advisory also mentioned the core reason for the issue, which is obvious: file extension filtration done at the client-side, therefore, manual WebSocket message modification can easily allow to bypass it and upload any files, including executables. Not so hard, right? 

But the narrowest thing is here: since is the most popular WebSockets framework for NodeJS, the package socket-io-file is a high-distributed across the Internet as well. And the second thing – there is no Load Balancers, API gateways, Web Application Firewalls, and API protection solution available on the market that can mitigate WebSockets threats. The best of them can only monitor WS protocol, but not block attacks. 

Unlike legacy WAFs, Wallarm NGWAF natively supports WebSockets protocol since version 2.0 released back in 2016 As we can see, it was not a waste of our engineering time. 

To check how Wallarm can prevent this threat, we intercepted WebSocket message by Burp Suite and added a malicious payload there:

WebSocket message by Burp Suite

Then we tried to send this message to a vulnerable NPM server protected by Wallarm Node proxy behind it. As expected, this attack was successfully blocked and the connection session between Burp and vulnerable socket-io application was terminated by Wallarm.

In the management web interface, this attack looks like an ordinary HTTP request sent by websocket/1.3 protocol:

HTTP request sent by websocket/1.3 protocol

To sum up, the WebSockets threats are real, and Wallarm NGWAF can mitigate them, unlike legacy WAF products. If you care about WebSockets, REST, or gRPC threats prevention, schedule your personal demo today: