Node[.]js for WebSockets: It is useful and powerful, but a cost you should pay. The design weakness of Fortinet awaken his competitors (22-01-2025)

Preface: Mars is very cold, with an average temperature of -62 degrees Celsius. Therefore, human living environments need to be designed to withstand extreme cold. Fortunately, however, these temperatures are not beyond our control. In fact, there are cities on Earth where temperatures have reached such low levels. Maybe, this is what Elon Musk meant by his recent (January 2025) speech!

Background: The Node.js Websocket Server can handles several tasks related to the OS Web GUI, including report management, WebSockets, Web CLI in the GUI, and proxying traffic to/from the administrative web GUI.

Node[.]js for WebSockets Common Vulnerabilities

Security Focus:

No Authentication During the Handshake Process: The problem here is that the WebSocket protocol does not allow the server to authenticate the client during the handshake process. Only normal HTTP connection mechanisms can be used. These include HTTP and TLS authentication and cookies. The upgraded handshake still happens from HTTP to WebSocket. However, HTTP sends authentication information directly to WS. This attack can be exploited and we call this attack Cross-Site WebSocket Hijacking.

Data masking: The WebSockets protocol uses this to prevent things like proxy cache poisoning. However, there is a problem. Blocking prevents security tools from performing actions such as identifying patterns in traffic. Software such as DLP (Data Loss Prevention) don’t even know that WebSockets exist. This makes it impossible for them to profile WebSocket traffic. This also makes these software programs unable to identify malicious JavaScript and data leakage, etc.

For more professional advice, you can refer to the Fortinet security advisory on this topic. Please refer to the link for details – https://www.fortiguard.com/psirt/FG-IR-24-535

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.