This year is full of extraordinary events and cybersecurity domains are not an exception. Massive WebSocket vulnerabilities are not so often discovered, we can say they are piece. But here is a new one, named CVE-2020-24807 was mentioned in a Socket.io advisory 6 days ago: https://github.com/advisories/GHSA-6495-8jvh-f28x
This file type restriction bypass vulnerability is technically an arbitrary file upload that might cause RCE (Remote Code Execution) exploitation affects socket-io-file packages version <= 2.0.31. The official NPM advisory https://www.npmjs.com/advisories/1564 also mentioned the core reason for the issue, which is obvious: file extension filtration done at the client-side, therefore, manual WebSocket message modification can easily allow to bypass it and upload any files, including executables. Not so hard, right?
But the narrowest thing is here: since socket.io is the most popular WebSockets framework for NodeJS, the package socket-io-file is a high-distributed across the Internet as well. And the second thing – there is no Load Balancers, API gateways, Web Application Firewalls, and API protection solution available on the market that can mitigate WebSockets threats. The best of them can only monitor WS protocol, but not block attacks.
Unlike legacy WAFs, Wallarm NGWAF natively supports WebSockets protocol since version 2.0 released back in 2016 https://lab.wallarm.com/we-are-thrilled-to-announce-a-new-release-of-wallarm-node-fb729bac8044/. As we can see, it was not a waste of our engineering time.
To check how Wallarm can prevent this threat, we intercepted WebSocket message by Burp Suite and added a malicious payload there:
Then we tried to send this message to a vulnerable NPM server protected by Wallarm Node proxy behind it. As expected, this attack was successfully blocked and the connection session between Burp and vulnerable socket-io application was terminated by Wallarm.
In the management web interface, this attack looks like an ordinary HTTP request sent by websocket/1.3 protocol:
To sum up, the WebSockets threats are real, and Wallarm NGWAF can mitigate them, unlike legacy WAF products. If you care about WebSockets, REST, or gRPC threats prevention, schedule your personal demo today: