International Conference on Security and Privacy in Communication Systems

Security and Privacy in Communication Networks pp 401-417

Why Web Servers Should Fear Their Clients

Abusing Websockets in Browsers for DoS
Conference paper

DOI: 10.1007/978-3-319-28865-9_22

Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 164)
Cite this paper as:
Rodriguez J.D.P., Posegga J. (2015) Why Web Servers Should Fear Their Clients. In: Thuraisingham B., Wang X., Yegneswaran V. (eds) Security and Privacy in Communication Networks. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 164. Springer, Cham

Abstract

This paper considers exploiting browsers for attacking Web servers. We demonstrate the generation of HTTP traffic to third-party domains without the user’s knowledge, that can be used e.g. for Denial of Service attacks.

Our attack is primarily possible since Cross Origin Resource Sharing does not restrict WebSocket communications. We show an HTTP-based DoS attack with a proof of concept implementation, analyse its impact against Apache and Nginx, and compare the effectiveness of our attack to two common attack tools.

In the course of our work we identified two new vulnerabilities in Chrome and Safari, i.e. two thirds of all browsers in use, that turn these browsers into attack tools comparable to known DoS applications like LOIC.

Keywords

Denial of Service Browser security Web security HTML5 security 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2015

Authors and Affiliations

  1. 1.Institute of IT-Security and Security LawUniversity of PassauPassauGermany

Personalised recommendations