-
Welcome to B4X forum!
B4X is a set of simple and powerful cross platform RAD tools:
- B4A (free) - Android development
- B4J (free) - Desktop and Server development
- B4i - iOS development
- B4R (free) - Arduino, ESP8266 and ESP32 development
B4J Question Websocket & hackers
- Thread starter LucaMs
- Start date
-
- Tags
- websocket
- Similar Threads Similar Threads
That's such a vague premise that I don't have a problem answering that they absolutely could do it.
Assuming they already have full access to the machine. (But in that case you have a lot bigger problem than the websocket connection, of course.)
Assuming they already have full access to the machine. (But in that case you have a lot bigger problem than the websocket connection, of course.)
Upvote
0
??
Eclipse Jetty : CVE security vulnerabilities, versions and detailed reports
Eclipse Jetty security vulnerabilities, exploits, metasploit modules, vulnerability statistics and list of versions
www.cvedetails.com
Upvote
0
As you know, I recently wrote a WebServer from scratch including the webSocket protocol.
The answer is yes. The protocol is not secure, the encoding is known and easily decoded. The masking method is also simple. It is possible to insert and send sial packets to the client and to the server easily pretending to be the correspondent with the Man In Middle attack
Permissions follow a simple process with MD5 encoding, but by reading the public encryption keys (which are in the clear) you can easily override
The answer is yes. The protocol is not secure, the encoding is known and easily decoded. The masking method is also simple. It is possible to insert and send sial packets to the client and to the server easily pretending to be the correspondent with the Man In Middle attack
Permissions follow a simple process with MD5 encoding, but by reading the public encryption keys (which are in the clear) you can easily override
Upvote
0
Websocket is backed by HTTP, you can get the httprequest from the websocket protocol and look for the session variables, unless the user has its session compromised i dont think you will have any issue.
Upvote
0
Thanks for your answers.
At this moment I heard:
"This is a protocol violation!"
But that's only because I'm "listening" to "Law & Order", so I don't think they're talking about http
, I search the web.
Thank you.
[Meanwhile "Law & Order" is over and I haven't heard how they framed the killer]
[... and I failed to kill the mosquito
]
At this moment I heard:
"This is a protocol violation!"
But that's only because I'm "listening" to "Law & Order", so I don't think they're talking about http
- Token: how do i know if i passed it to the legitimate client user? Every time I forget how to exploit the public-private key technique; I suppose it would be the best way.
- (damn mosquito )
- Session variables: theoretically a hacker could get these too, right? (and actually the token too)
- TSL 1.2: I guess the older version was also considered safe, then...! Also I suppose the ability to use version 1.2 depends on the client and server libraries (I have to check this).
, I search the web.Thank you.
[Meanwhile "Law & Order" is over and I haven't heard how they framed the killer
][... and I failed to kill the mosquito
]
Upvote
0
With plaintext communication you cannot be sure that you have connected with the legitimate client.Thanks for your answers.
At this moment I heard:
"This is a protocol violation!"
But that's only because I'm "listening" to "Law & Order", so I don't think they're talking about http
While waiting for you (and others) to choose which strategy is the best
- Token: how do i know if i passed it to the legitimate client user? Every time I forget how to exploit the public-private key technique; I suppose it would be the best way.
- (damn mosquito
- Session variables: theoretically a hacker could get these too, right? (and actually the token too)
- TSL 1.2: I guess the older version was also considered safe, then...! Also I suppose the ability to use version 1.2 depends on the client and server libraries (I have to check this).
Thank you.
[Meanwhile "Law & Order" is over and I haven't heard how they framed the killer
[... and I failed to kill the mosquito
As already mentioned with the security protocols of verifying the certificates it is really complex to pretend to be the legitimate computer. Attacks on security protocols are not as easy as with WebSocket alone. They require a lot of expertise.
Usually those who have these skills do not attack LucaMS 'computers but those of the banks
I cannot add anything else because everything I write tomorrow could be used against me (cit. Law and order)
Upvote
0
Similar Threads
