Skip to content

Latest commit

 

History

History
159 lines (142 loc) · 12.9 KB

mitigations.md

File metadata and controls

159 lines (142 loc) · 12.9 KB

Mitigation Strategies Analysis for gorilla/websocket

Mitigation Strategy: Implement Connection Limits (Websocket Specific)

  • Mitigation Strategy: Websocket Connection Limits
  • Description:
    1. Identify Acceptable Websocket Connection Threshold: Determine the maximum number of websocket connections your server can handle per client IP without performance degradation. This is specific to websocket resource usage.
    2. Implement Websocket Connection Tracking: Maintain a data structure to track active websocket connections per client IP address. Focus on tracking websocket connections specifically.
    3. Enforce Limit During Websocket Handshake: In your gorilla/websocket.Upgrader handler, before accepting a websocket connection:
      • Check the client's IP address initiating the websocket handshake.
      • Query your websocket connection tracking mechanism.
      • If the count exceeds the threshold for websocket connections, reject the websocket upgrade.
    4. Decrement Count on Websocket Connection Close: When a websocket connection is closed, decrement the count in your tracking mechanism. Ensure this is specifically for websocket connection closures.
  • Threats Mitigated:
    • Denial of Service (DoS) - Websocket Connection Exhaustion (High Severity): Attackers flood the server with websocket connection requests, specifically targeting websocket resources.
  • Impact:
    • DoS - Websocket Connection Exhaustion (High Impact): Directly reduces the risk of websocket connection exhaustion DoS attacks.
  • Currently Implemented:
    • Implemented in the websocket_manager.go module, within the UpgradeHandler function, specifically for websocket connections.
  • Missing Implementation:
    • Consider persistent storage for websocket connection counts for better scaling and resilience. Currently, it's in-memory websocket connection tracking.

Mitigation Strategy: Enforce Message Rate Limiting (Websocket Specific)

  • Mitigation Strategy: Websocket Message Rate Limiting
  • Description:
    1. Define Websocket Message Rate Limits: Determine acceptable message rates for websocket messages specifically.
    2. Implement Websocket Rate Tracking: For each websocket connection, track the number of websocket messages received within a time window. Focus on tracking websocket messages.
    3. Enforce Limits in Websocket Message Handling Logic: In your websocket message handling function:
      • Record timestamps of incoming websocket messages.
      • Calculate the websocket message rate.
      • If the websocket message rate exceeds limits, take action on the websocket connection.
  • Threats Mitigated:
    • Denial of Service (DoS) - Websocket Message Flooding (Medium Severity): Attackers flood the server with websocket messages, overwhelming websocket message processing.
    • Websocket Application Logic Abuse (Medium Severity): Rapid websocket message sending to abuse websocket application logic.
  • Impact:
    • DoS - Websocket Message Flooding (Medium Impact): Reduces websocket message flooding DoS attacks.
    • Websocket Application Logic Abuse (Medium Impact): Mitigates abuse via excessive websocket messages.
  • Currently Implemented:
    • Basic rate limiting in message_handler.go, tracking websocket messages per second.
  • Missing Implementation:
    • More granular rate limiting based on websocket message types. Current rate limiting is for all websocket messages.

Mitigation Strategy: Set Maximum Message Size Limits (Websocket Specific)

  • Mitigation Strategy: Maximum Websocket Message Size Limits
  • Description:
    1. Determine Maximum Acceptable Websocket Message Size: Analyze requirements and determine the maximum size for incoming websocket messages.
    2. Configure gorilla/websocket.Upgrader Buffers: Set ReadBufferSize and WriteBufferSize in gorilla/websocket.Upgrader for websocket message buffer limits.
    3. Implement Explicit Websocket Message Size Checks: After reading a websocket message, check its size explicitly.
    4. Reject Oversized Websocket Messages: If a websocket message exceeds the limit, reject it and potentially close the websocket connection.
  • Threats Mitigated:
    • Denial of Service (DoS) - Websocket Resource Exhaustion (Memory/Bandwidth) (Medium Severity): Attackers send large websocket messages, consuming websocket server resources.
    • Websocket Buffer Overflow (Low Severity): Prevents potential buffer issues related to websocket messages.
  • Impact:
    • DoS - Websocket Resource Exhaustion (Medium Impact): Reduces resource exhaustion from oversized websocket messages.
    • Websocket Buffer Overflow (Low Impact): Defense-in-depth for websocket buffer issues.
  • Currently Implemented:
    • ReadBufferSize and WriteBufferSize configured in main.go for websocket upgrades. Explicit websocket message size checks missing.
  • Missing Implementation:
    • Implement explicit size checks in message_handler.go for websocket messages after reading.

Mitigation Strategy: Implement Connection Timeout (Websocket Specific)

  • Mitigation Strategy: Websocket Connection Timeout
  • Description:
    1. Define Websocket Timeout Duration: Determine a timeout for idle websocket connections.
    2. Set Read and Write Deadlines on Websocket Connections: Use websocket.Conn.SetReadDeadline() and websocket.Conn.SetWriteDeadline() for websocket connection timeouts.
    3. Handle Websocket Timeout Errors: Check for timeout errors from ReadMessage() for websocket connections. Close timed-out websocket connections.
    4. Periodically Reset Websocket Deadlines: Reset deadlines after each successful websocket read/write to maintain idle timeout.
  • Threats Mitigated:
    • Resource Exhaustion - Lingering Websocket Connections (Low Severity): Inactive websocket connections consume resources.
    • Websocket Session Hijacking (Low Severity): Long-lived idle websocket sessions could increase hijacking risk.
  • Impact:
    • Resource Exhaustion - Lingering Websocket Connections (Medium Impact): Reclaims resources from idle websocket connections.
    • Websocket Session Hijacking (Low Impact): Reduces hijacking window related to idle websocket sessions.
  • Currently Implemented:
    • Basic read deadlines set in connection_manager.go for new websocket connections.
  • Missing Implementation:
    • Implement write deadlines for websocket connections. Make timeout configurable. Ensure deadlines reset for websocket idle timeout.

Mitigation Strategy: Origin Header Validation (Websocket Specific)

  • Mitigation Strategy: Websocket Origin Header Validation
  • Description:
    1. Implement CheckOrigin Function for Websocket Upgrader: Provide a custom CheckOrigin function in gorilla/websocket.Upgrader. This is specific to the websocket handshake.
    2. Whitelist Allowed Websocket Origins: Create a whitelist of allowed origin domains for websocket connections.
    3. Validate Origin Header in CheckOrigin:
      • Retrieve the Origin header from the websocket handshake http.Request.
      • Check if the Origin header is present for the websocket handshake.
      • Compare against the whitelist for websocket origins.
      • Accept or reject the websocket connection based on origin validation.
    4. Handle Websocket Rejection: gorilla/websocket rejects the websocket handshake if CheckOrigin returns false.
  • Threats Mitigated:
    • Cross-Site WebSocket Hijacking (CSWSH) (High Severity): Prevents websocket connections from malicious websites.
  • Impact:
    • CSWSH (High Impact): Effectively mitigates CSWSH attacks on websocket connections.
  • Currently Implemented:
    • Basic CheckOrigin in main.go for websocket upgrades, checking against a hardcoded list.
  • Missing Implementation:
    • Externalize the allowed websocket origins list. Currently hardcoded for websocket origin validation.

Mitigation Strategy: Strict Input Validation (Websocket Messages)

  • Mitigation Strategy: Strict Websocket Message Input Validation
  • Description:
    1. Define Websocket Message Schema: Define the schema for all incoming websocket messages.
    2. Validate Websocket Messages on Server-Side: In websocket message handling, validate messages immediately after receipt.
      • Parse the websocket message.
      • Validate data types, formats, etc., within the websocket message.
    3. Handle Invalid Websocket Messages: If a websocket message fails validation:
      • Reject the websocket message.
      • Send an error message to the client via websocket.
  • Threats Mitigated:
    • Data Injection Attacks via Websocket (Medium to High Severity): Prevents malicious data injection through websocket messages.
    • Websocket Application Errors and Instability (Medium Severity): Invalid websocket data can cause errors.
  • Impact:
    • Data Injection Attacks via Websocket (High Impact): Reduces data injection via websocket messages.
    • Websocket Application Errors and Instability (Medium Impact): Improves robustness against malformed websocket data.
  • Currently Implemented:
    • Basic JSON parsing in message_handler.go for websocket messages. Detailed websocket message validation missing.
  • Missing Implementation:
    • Implement schema definition for websocket messages and validation in message_handler.go.

Mitigation Strategy: Always Use WSS (WebSocket Secure) (Websocket Specific)

  • Mitigation Strategy: Enforce WSS for Websocket
  • Description:
    1. Configure Server for WSS: Configure your server to handle WSS connections for websocket.
    2. Enforce WSS in Websocket Client Applications: Ensure clients connect using wss:// for websocket connections.
    3. Reject WS Connections (Websocket): Reject ws:// websocket connection attempts in production.
  • Threats Mitigated:
    • Eavesdropping on Websocket Communication (High Severity): Without WSS, websocket communication is plaintext.
    • Man-in-the-Middle (MitM) Attacks on Websocket (High Severity): Without WSS, websocket communication is vulnerable to MitM.
  • Impact:
    • Eavesdropping on Websocket (High Impact): Mitigates eavesdropping on websocket communication.
    • MitM Attacks on Websocket (High Impact): Reduces MitM attacks on websocket communication.
  • Currently Implemented:
    • Server handles both ws:// and wss:// for websocket in development. WSS is enabled.
  • Missing Implementation:
    • Enforce WSS Only in Production for Websocket: Configure server to only accept wss:// for websocket in production. Currently, ws:// is still accepted for websocket.

Mitigation Strategy: Keep gorilla/websocket Library Up-to-Date (Websocket Specific)

  • Mitigation Strategy: Update gorilla/websocket Library
  • Description:
    1. Dependency Management for gorilla/websocket: Use dependency management for gorilla/websocket.
    2. Regularly Check for gorilla/websocket Updates: Monitor for new gorilla/websocket releases and security advisories.
    3. Update gorilla/websocket Dependency: Update to the latest stable gorilla/websocket version.
    4. Test After gorilla/websocket Updates: Test websocket application after updating gorilla/websocket.
  • Threats Mitigated:
    • Exploitation of Known gorilla/websocket Vulnerabilities (Severity varies): Outdated gorilla/websocket may have vulnerabilities.
  • Impact:
    • Exploitation of Known gorilla/websocket Vulnerabilities (Impact varies): Reduces risk of exploiting gorilla/websocket vulnerabilities.
  • Currently Implemented:
    • Dependency management used. No automated process for gorilla/websocket updates.
  • Missing Implementation:
    • Implement a process for regularly updating gorilla/websocket and other dependencies.