Full Report
But, Websockets! The last week I was stuck on a web-app assessment where everything was new-age HTML5, with AngularJS and websockets. Apart from the login sequence, all communication happened through websockets. Now intercepting websockets can be done in Burp and you can modify the requests/responses as you wish. There were however multiple issues with this. Polling – the webapp did a ‘ping’ request and if this was held up (intercept in burp) the app would timeout and I had to start from scratch. This timeout period was relatively aggressive, so by the time I finished modifying a request, the app had timed out and my changes meant squat. Intercept/Replace rules- ping messages were irritating and Burp had no way to not intercept these. It also wasn’t possible to configure out replace rules. And according to this, it isn’t coming to Burp anytime soon… https://support.portswigger.net/customer/portal/questions/11577304-replace-text-in-websocket-operations Replay/Intruder – there is no way to replay a websocket request in Burp. This also means no Intruder :( At this junction, three options were available to me. Use ZAP (which does have intercept rules but not replay/replace/intruder). Use Internet Explorer and force the app into non-websocket mode or write a custom proxy. So the choice was obvious, write a custom proxy.
Analysis Summary
# Tool/Technique: Custom Proxy (WSPROXY)
## Overview
A custom web application security testing proxy developed in NodeJS, specifically designed to overcome limitations encountered when using existing tools (like Burp Suite) to intercept, modify, and replay traffic carried over WebSockets (WS/WSS) in modern web applications built with technologies like HTML5 and AngularJS.
## Technical Details
- Type: Tool (Custom Proxy/Framework Component)
- Platform: NodeJS environment (likely targeting HTTP/HTTPS/WS/WSS traffic)
- Capabilities: HTTP/HTTPS interception, comprehensive WebSocket interception, request/response modification via custom rules, traffic replay, fuzzing capabilities (Intruder-like), and a custom web interface for traffic visualization.
- First Seen: Mentioned in an article published September 03, 2015.
## MITRE ATT&CK Mapping
This tool is primarily used for **Defense Evasion** and **Discovery/Reconnaissance** during penetration testing, though direct mapping to malware use is inappropriate. The associated testing activities often map to:
- **TA0004 - Privilege Escalation** (If flaws found exploitation) - *Not directly mapped for this tool's core function.*
- **TA0006 - Credential Access** (If credentials are sniffed) - *Not directly mapped for this tool's core function.*
- **TA0007 - Discovery**
- **T1046 - Network Service Scanning** (By testing protocol behavior)
- **T1590 - Gather Victim Identity** (Via analyzing communication patterns)
- **TA0009 - Collection**
- **T1005 - Data from Local System** (By logging all traffic)
*(Note: Since this is a benign security tool, direct TTP mapping is focused on the functionality it replicates for analysis/testing.)*
## Functionality
### Core Capabilities
- **HTTP/HTTPS Interception:** Functions as a standard upstream proxy, correctly handling the initial `CONNECT` request required for HTTPS tunneling.
- **WebSocket Handling:** Listens for the HTTP `Upgrade` request and establishes a corresponding WebSocket client/server connection to proxy the traffic transparently.
- **Traffic Visibility:** Can dump intercepted traffic (including HTTP, WS, and WSS) directly to the terminal or display it in a custom web interface.
- **Custom Rules:** Allows configuration of rules to ignore specific messages (e.g., application ping/pong messages, UI configuration messages) to declutter analysis.
### Advanced Features
- **Replace Rules:** Ability to modify values within the intercepted WebSocket frames based on configured replacement rules.
- **Mangle Rules:** Capability to format or "mangle" output (e.g., pretty JSON) for easier review.
- **Traffic Replay/Fuzzing:** Implements an "Intruder type system" allowing users to "mark" selected text within a message, choose a payload file (fuzzing strings, incremental numbers), and replay sequential requests over a newly established WebSocket connection.
- **Repeater Control:** For scenarios where the initial connection pushes configuration data (like in SockJS), the repeater function allows setting an "expect" count to ignore the first 'x' messages before sending the modified replay.
## Indicators of Compromise
- File Hashes: [Not applicable, as this is a review of a custom analysis tool.]
- File Names: `wsproxy.js`
- Registry Keys: [Not applicable]
- Network Indicators: [Not applicable, this tool facilitates traffic *analysis*, not command/control.]
- Behavioral Indicators: Usage of NodeJS to establish proxy listeners, handling of HTTP `CONNECT` requests followed by WebSocket protocol upgrades, and custom user interface accessible on port 8082 while proxy runs on 8081.
## Associated Threat Actors
- Not associated with threat actors; developed by SensePost for offensive security testing and web application assessment.
## Detection Methods
- **Signature-based detection:** Detection would focus on the presence of the specific NodeJS application structure cloned from the public repository or execution of `node wsproxy.js`.
- **Behavioral detection:** Monitoring for unusual NodeJS processes setting up system-wide proxy configurations or listening on local ports (e.g., 8081, 8082).
- **YARA rules if available:** [Not applicable]
## Mitigation Strategies
- **Network Segmentation and Control:** Restricting outbound proxy configurations on end-user systems or monitoring for unauthorized proxy setup changes.
- **Principle of Least Privilege:** Limiting the ability of standard users to install and run customized networking tools like NodeJS applications.
- **Application Hardening:** Implementing strong session validation independent of simple ping/pong mechanisms to mitigate replay attacks facilitated by such tools.
## Related Tools/Techniques
- **Burp Suite Professional/Community:** The tool analyzed was created specifically because Burp lacked robust, user-friendly WebSocket replay/Intruder/replace functionality at the time of writing.
- **OWASP ZAP:** Mentioned as an alternative that possessed better native WebSocket intercept rules in some versions compared to the Burp Suite version available to the author.