Signed client certificate not accepted by websocket server [migrated]

Want to set up authentication in a python websocket server which builds up its ssl context like:

ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) ctx.load_cert_chain('certificates/server_cert.pem', 'certificates/server_key.pem') ctx.verify_mode = ssl.CERT_REQUIRED ctx.load_verify_locations('certificates/bob_cert.pem') 

Following the example in here (only for the creation of certificates) I created three keypairs and certificates, one for the websocket server and two client certs. As stated in the example I signed alice’s cert with the server cert and bob’s cert is self-signed.

If I now connect via bob’s cert and set verify_locations in the server as above, bob magically gets into the server (which doesn’t do more then echo back what you sent). But if I connect via alice’s cert (signed by server cert) I do not get accepted – getting a ConnectionResetError, the parameter verify_locations in the above code is then of course set to accept alice_cert.pem. For completion, below you find the code for ssl context creation of the client side (here for bob):

ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) ctx.check_hostname = True ctx.load_verify_locations('certificates/server_cert.pem') ctx.verify_mode = ssl.CERT_REQUIRED ctx.load_cert_chain('certificates/bob_cert.pem', 'certificates/bob_key.pem') 

What am I doing wrong or where did I misunderstand the tutorial I followed (link above), how can the unrelated (to the server cert) self-signed certificate used by bob (ISSUER CN=bob, SUBJ CN=bob) get access whereas alice cert which is signed by the server cert (ISSUER CN=localhost, SUBJ CN=alice) does get rejected?

Prevent Cross-site WebSocket hijacking with a custom header and no CORS

Considering I am vulnerable to Cross-site WebSocket hijacking, so my WebSocket handshake (GET to does not require a random (CSRF) token.

I have defined no CORS settings, so no custom headers can be added to cross-site requests.

Would it theoretically be enough to add a static custom request header, that is required for the WebSocket handshake to prevent a Cross-site WebSocket hijacking?

Hijacking Websocket – it is possible to change the server response?

i read every available hijacking websocket guide/explanation there is in the wild but i still don’t understand one thing.

In a CSWSH it is possible to custom requests to the server and retrieve sensitive information that an attacker can steal, also perform sensitive state-changing actions like a normal CSRF.

But, is it possible to send the normal/default request to the server and change the server’s response?

Lets say a website that uses websockets to receive prices of items,

a sample request would be:

{Price: apple} 

A simple response would be

Price apple: 100 

i want to know if it would be possible just to change the response from the server and say that apple is worth 5 or 500 instead of 100, without changing the request to the server… just the response

How to sniff direct websocket connection in android ( i.e. no HTTP Upgrade connections ) using BURP?

I’ve pentested a lot of websites and a few apps too but this app eludes them all. On the websites, when there’s a websocket upgrade the BURP proxy recognizes it and starts showing it in the websockets tab. Somewhat similar happens on the apps, but not on this one.

This app doesn’t do any such thing.

How this app works :

  1. Gets it’s websocket endpoints from a config, downloaded from a website. Then ‘mysteriously’ it makes a connection to the websocket server, which isn’t visible in the BURP proxy.

My Setup : 1. Rooted phone with frida running and objection framework for ssl unpinning ( although not needed here, as I am already able to see all the http(s) traffic from the app ).

FYI I’ve added my BURP cert as root authority in my android 7.0 phone.

I’ve also tried ‘invisible proxying’ ( not sure how it works ) didn’t work either.

Any ideas would help ?


Connecting clients with UDP and WebSocket connections

I’m in the process of making a physics intensive multiplayer game. Naturally I use a UDP to transfer packets regarding rigidbodies between client and an authoritative server.

However non-essential packets I’d prefer to use a more reliable connection like WebSockets. This would be for things like voice chat, text chat, scoreboard, etc. It also seems the be a nice approach to checking if the client is still connected and if not, stop sending it UDP packets.

I’m actually unable to find use cases of this dual connection approach online and I was wondering how this is typically handled in similar games. Is it very far fetched or unconventional?

Another question would be how far do I take relying on the WebSocket connection? Lets say for managing remaining bullets in a guns magazine, would it be better over UDP or WebSocket?

I feel like WebSockets would be best in this case because if the bullet was successfully spawned and the server needs to remove a bullet from the client’s gun’s magazine, if that packet doesn’t arrive at the client, then they shot a free bullet…

The UDP equivalent for this scenario would be to always send the client’s magazine state as packets and the client just updates it’s magazine whenever the packets get to them. My concern here is overloading the network traffic data that might not have even changed…

Laravel websocket Broadcast no funciona

favor me pueden ayudar con el siguiente problem, en el metodo storage estoy creando una atencion, y quiero que al momento de crear la atencion se dispare un nuevo evento “NewAttention” pero no logro entender el funcionamiento

Tengo en mi controlador lo siguiente

$  attention = Attentionlist::create([     'number'    => $  request->number,     'dni'       => $  request->dni,     'ingresado' => now(),     'espera'    => NULL,     'proceso'   => NULL,     'finalizado'=> NULL,     'subcategory_id'=> $  request->subcategory_id,     'totem_id'  => 1 ]); 

y el broadcast que estoy llamando el el siguiente, justo debajo del create

broadcast(new NewAttention($  attention))->toOthers();  

En el archivo NewAttention.php tengo l osiguiente

class NewAttention implements ShouldBroadcastNow {     use Dispatchable, InteractsWithSockets, SerializesModels;      public $  attention;      public function __construct(Attentionlist $  attention)     {         $  this->attention = $  attention;     }      public function broadcastOn()     {         return new Channel('attention');     } } 

Pero al crear la atencion la almacena en la base de datos pero al pasar por la linea del broadcast arroja

app.js:267 POST 500 (Internal Server Error) dispatchXhrRequest @ app.js:267 xhrAdapter @ app.js:118 dispatchRequest @ app.js:706 Promise.then (async) request @ app.js:513 Axios.<computed> @ app.js:533 wrap @ app.js:966 confirmPrint @ app.js:2294 click @ app.js:48667 invokeWithErrorHandling @ app.js:50785 invoker @ app.js:51110 original._wrapper @ app.js:56463 app.js:633 Uncaught (in promise) Error: Request failed with status code 500     at createError (app.js:633)     at settle (app.js:796)     at XMLHttpRequest.handleLoad (app.js:166) 

¿Que es lo que me estaría faltando?

Issue with AWS elastic beanstalk with secure websocket

I have a node js server for my game which I want to deploy in AWS. my client successfully got connected with ws:// But I have a requirement to create secure connection. I have already purchased a domain name. Not from Route53. I added a listener in my Load Balancer to listen to port 443 with SSL type with Certificate added with the domain name is purchased as document suggest.

I am getting an error that CERT_COMMON_NAME_INVALID when client is trying to connect to wss://

I also tried to connect to domain name which lead to error “ERR_NAME_NOT_RESOLVED”.

I don’t know what to do now. Is there anyone who can help me with figuring out the problem?



Tengo una aplicación de Angular que deseo conectar con un servidor websockets realizado con laravel-websockets. la configuración realizada en PUSHER JS en la aplicación IONIC es:

Configuración de WebSocket en el Aplicación Angular

teniendo en cuenta que tengo mi propio servidor websocket, puedo utilizar funciones ilimitadas de PusherJS?

Can i use Socket instead of WebSocket in Web Api C#?

i have a problem. I am trying to use sockets to make a TCP communication between two points. And it work perfectly on Windows Form c# application. But when i try to do the same thing using Web Api to generate a link that called the method to connect the socket, but i cannot receive the response of server and the socket does not connect.

Should i use WebSocket instead of Socket in C# WebApi?

The communication is asynchronous.

In the method

onConnect(IAsyncResult ar) {  Socket sock = (Socket) ar.AsyncState; try{  if(sock.Connected){   SetupReceiveCallback(sock)  }else{ .... } } } 

the code aways goes to the else condition.