Skip to main content
SpringerLink
Log in

Why Web Servers Should Fear Their Clients

Abusing Websockets in Browsers for DoS

  • Conference paper
Book cover Security and Privacy in Communication Networks (SecureComm 2015)

Abstract

This paper considers exploiting browsers for attacking Web servers. We demonstrate the generation of HTTP traffic to third-party domains without the user’s knowledge, that can be used e.g. for Denial of Service attacks.

Our attack is primarily possible since Cross Origin Resource Sharing does not restrict WebSocket communications. We show an HTTP-based DoS attack with a proof of concept implementation, analyse its impact against Apache and Nginx, and compare the effectiveness of our attack to two common attack tools.

In the course of our work we identified two new vulnerabilities in Chrome and Safari, i.e. two thirds of all browsers in use, that turn these browsers into attack tools comparable to known DoS applications like LOIC.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Introducing the new HTML5 Hard Disk Filler API (2013). http://feross.org/fill-disk/

  2. MD5-Password-Cracker (2013). https://github.com/feross/md5-password-cracker.js/

  3. The top 500 sites on the web (2015). http://www.alexa.com/topsites

  4. Antonatos, S., Akritidis, P., Lam, V.T., Anagnostakis, K.G.: Puppetnets: Misusing Web Browsers As a Distributed Attack Infrastructure. ACM Trans. Inf. Syst. Secur. 12(2) (2008)

    Google Scholar 

  5. Using Baidu to steer millions of computers to launch denial of serviceattacks (2015). https://drive.google.com/file/d/0ByrxblDXR_yqeUNZYU5WcjFCbXM/view

  6. Web code weakness allows data dump on PCs (2008). http://www.bbc.co.uk/news/technology-21628622

  7. Bitcoin Miner for Websites (2011). http://www.bitcoinplus.com/miner/embeddable

  8. Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious javascript code. In: Proceedings of the 19th International Conference on World Wide Web, WWW 2010, pp. 281–290. ACM, New York (2010)

    Google Scholar 

  9. Fifield, D., Hardison, N., Ellithorpe, J., Stark, E., Boneh, D., Dingledine, R., Porras, P.: Evading censorship with browser-based proxies. In: Fischer-Hübner, Simone, Wright, Matthew (eds.) PETS 2012. LNCS, vol. 7384, pp. 239–258. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  10. SynGUI (2014). http://download.cnet.com/SynGUI/3000-18510_4-10915777.html

  11. Grossman, J., Johansen, M.: Million Browser Botnet (2013). https://www.blackhat.com/us-13/briefings.html

  12. Hickson, I.: Web workers. Candidate recommendation, W3C, May 2012. http://www.w3.org/TR/2012/CR-workers-20120501/

  13. Huang, L.S., Chen, E.Y., Barth, A., Rescorla, E., Jackson, C.: Talking to yourself for fun and profit. In: Proceedings of W2SP, pp. 1–11 (2011)

    Google Scholar 

  14. Kesteren, A.V.: Cross-Origin Resource Sharing. W3C recommendation, W3C, January 2014. http://www.w3.org/TR/2014/REC-cors-20140116/

  15. Kulshrestha, A.: An Empirical study of HTML5 Websockets and their Cross Browser behavior for Mixed Content and Untrusted Certificates. International Journal of Computer Applications 82(6), 13–18 (2013)

    Article  Google Scholar 

  16. Kuppan, L., Saindane, M.: JS Recon (2010). http://www.andlabs.org/tools/jsrecon/jsrecon.html

  17. Linux Programmer’s Manual (2015). http://man7.org/linux/man-pages/man2/select.2.html

  18. A Network Stress Testing Application (2014). https://sourceforge.net/projects/loic/

  19. Matthews, N.: jsMiner (2011). https://github.com/jwhitehorn/jsMiner

  20. Matthews, N.: Ravan: JavaScript Distributed Computing System (BETA) (2012). http://www.andlabs.org/tools/ravan.html

  21. Melnikov, A.: The websocket protocol. RFC 6455, RFC Editor, December 2011. http://tools.ietf.org/html/rfc6455

  22. Rice, A.: Chromium Code Reviews Issue 835623003: Add a delay when unlockingWebSocket endpoints. (Closed) (2015). https://codereview.chromium.org/835623003

  23. Rieck, K., Krueger, T., Dewald, A.: Cujo: efficient detection and prevention of drive-by-download attacks. In: Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC 2010, pp. 31–39. ACM, Austin (2010)

    Google Scholar 

  24. Schütt, K., Kloft, M., Bikadorov, A., Rieck, K.: Early detection of malicious behavior in JavaScript code. In: Proceedings of the 5th ACM Workshop on Security and Artificial Intelligence, AISec 2012, pp. 15–24. ACM, Raileigh (2012)

    Google Scholar 

  25. Web Server Usage Statistics (2015). http://trends.builtwith.com/web-server

  26. Shema, M., Shekyan, S., Toukharia, V.: Hacking with WebSockets (2012). http://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf

  27. Internet activists blame China for cyber-attack that brought down GitHub (2015). http://www.theguardian.com/technology/2015/mar/30/china-github-internet-activists-cyber-attack

  28. Browser Statistics (2014). http://www.w3schools.com/browsers/browsers_stats.asp

Download references

Author information

Authors and Affiliations

  1. Institute of IT-Security and Security Law, University of Passau, Innstraße 43, Passau, Germany

    Juan D. Parra Rodriguez & Joachim Posegga

Authors
  1. Juan D. Parra Rodriguez
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Joachim Posegga
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Juan D. Parra Rodriguez .

Editor information

Editors and Affiliations

  1. The University of Texas at Dallas, Richardson, Texas, USA

    Bhavani Thuraisingham

  2. Indiana University at Bloomington, Bloomington, Indiana, USA

    XiaoFeng Wang

  3. SRI International, Menlo Park, California, USA

    Vinod Yegneswaran

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Rodriguez, J.D.P., Posegga, J. (2015). Why Web Servers Should Fear Their Clients. In: Thuraisingham, B., Wang, X., Yegneswaran, V. (eds) Security and Privacy in Communication Networks. SecureComm 2015. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 164. Springer, Cham. https://doi.org/10.1007/978-3-319-28865-9_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-28865-9_22

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-28864-2

  • Online ISBN: 978-3-319-28865-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation