websocket: Verify Sec-WebSocket-Key/Accept headers and review feedback

Don't log them, they are random and arbitrary in the normal case. Users can do the following to log them if wanted. redef += WebSocket::Info$client_key += { &log }; redef += WebSocket::Info$server_accept += { &log };
2025-10-02 14:48:21 +00:00 · 2024-01-19 17:32:06 +01:00 · 2024-01-19 17:32:06 +01:00 · e17655be61
commit e17655be61
parent a6c1d12206
16 changed files with 100 additions and 24 deletions
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -470,10 +470,10 @@ export {
 	## Whether to enable DPD on WebSocket frame payload by default.
 	const use_dpd_default = T &redef;

-	## Record type that is passed to :zeek:see:`WebSocket::__configure_analyzer`.
+	## Record type that is passed to :zeek:see:`WebSocket::configure_analyzer`.
 	##
-	## This allows to configure the WebSocket analyzer given parameters
-	## collected from HTTP headers.
+	## This record allows to configure the WebSocket analyzer given
+	## parameters collected from HTTP headers.
 	type AnalyzerConfig: record {
 		## The analyzer to attach for analysis of the WebSocket
 		## frame payload. See *use_dpd* below for the behavior
--- a/scripts/base/protocols/websocket/consts.zeek
+++ b/scripts/base/protocols/websocket/consts.zeek
@ -18,4 +18,6 @@ export {
 		[OPCODE_PING]         = "ping",
 		[OPCODE_PONG]         = "pong",
 	} &default=function(opcode: count): string { return fmt("unknown-%x", opcode); } &redef;
+
+	const HANDSHAKE_GUID = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11";
 }
--- a/scripts/base/protocols/websocket/main.zeek
+++ b/scripts/base/protocols/websocket/main.zeek
@ -1,11 +1,13 @@
 ##! Implements base functionality for WebSocket analysis.
 ##!
-##! Upon a websocket_handshake(), logs all gathered information into websocket.log
-##! and then configures the WebSocket analyzer with the headers collected using
-##! http events.
+##! Upon a websocket_established() event, logs all gathered information into
+##! websocket.log and configures the WebSocket analyzer with the headers
+##! collected via http events.

@load base/protocols/http

+@load ./consts
+
 module WebSocket;

 # Register the WebSocket analyzer as HTTP upgrade analyzer.
@ -38,6 +40,10 @@ export {
 		server_extensions: vector of string &log &optional;
 		## The extensions requested by the client, if any.
 		client_extensions: vector of string &log &optional;
+		## The Sec-WebSocket-Key header from the client.
+		client_key:        string &optional;
+		## The Sec-WebSocket-Accept header from the server.
+		server_accept:     string &optional;
 	};

 	## Event that can be handled to access the WebSocket record as it is
@ -71,6 +77,10 @@ function set_websocket(c: connection)
 	);
 	}

+function expected_accept_for(key: string): string {
+	return encode_base64(hexstr_to_bytestring(sha1_hash(key + HANDSHAKE_GUID)));
+}
+
 event http_header(c: connection, is_orig: bool, name: string, value: string)
 	{
 	if ( ! starts_with(name, "SEC-WEBSOCKET-") )
@ -98,11 +108,21 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)

 			ws$client_extensions += split_string(value, / *, */);
 			}
+		else if ( name == "SEC-WEBSOCKET-KEY" )
+			{
+			if ( ws?$client_key )
+				Reporter::conn_weird("websocket_multiple_key_headers", c, "", "WebSocket");
+
+			ws$client_key = value;
+			}
 		}
 	else
 		{
 		if ( name == "SEC-WEBSOCKET-PROTOCOL" )
 			{
+			if ( ws?$subprotocol )
+				Reporter::conn_weird("websocket_multiple_protocol_headers", c, "", "WebSocket");
+
 			ws$subprotocol = value;
 			}
 		else if ( name == "SEC-WEBSOCKET-EXTENSIONS" )
@ -112,6 +132,13 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)

 			ws$server_extensions += split_string(value, / *, */);
 			}
+		else if ( name == "SEC-WEBSOCKET-ACCEPT" )
+			{
+			if ( ws?$server_accept )
+				Reporter::conn_weird("websocket_multiple_accept_headers", c, "", "WebSocket");
+
+			ws$server_accept = value;
+			}
 		}
 	}

@ -119,23 +146,39 @@ event http_request(c: connection, method: string, original_URI: string,
                   unescaped_URI: string, version: string)
 	{
 	# If we see a http_request and have websocket state, wipe it as
-	# we should've seen a websocket_handshake even on success and
+	# we should've seen a websocket_established even on success and
 	# likely no more http events.
 	if ( ! c?$websocket )
 		delete c$websocket;
 	}

-event websocket_handshake(c: connection, aid: count) &priority=5
+event websocket_established(c: connection, aid: count) &priority=5
 	{
 	if ( ! c?$websocket )
 		{
 		# This means we never saw a Sec-WebSocket-* header, weird.
-		Reporter::conn_weird("websocket_handshake_unexpected", c, "", "WebSocket");
+		Reporter::conn_weird("websocket_established_unexpected", c, "", "WebSocket");
 		set_websocket(c);
 		}

 	local ws = c$websocket;

+	if ( ! ws?$client_key )
+		Reporter::conn_weird("websocket_missing_key_header", c, "", "WebSocket");
+
+	if ( ! ws?$server_accept )
+		Reporter::conn_weird("websocket_missing_accept_header", c, "", "WebSocket");
+
+	# Verify the Sec-WebSocket-Accept header's value given the Sec-WebSocket-Key header's value.
+	if ( ws?$client_key && ws?$server_accept )
+		{
+		local expected_accept = expected_accept_for(ws$client_key);
+		if ( ws$server_accept != expected_accept )
+			Reporter::conn_weird("websocket_wrong_accept_header", c,
+			                     fmt("expected=%s, found=%s", expected_accept, ws$server_accept),
+			                     "WebSocket");
+		}
+
 	# Replicate some information from the HTTP.log
 	if ( c?$http )
 		{
@ -150,7 +193,7 @@ event websocket_handshake(c: connection, aid: count) &priority=5
 		}
 	}

-event websocket_handshake(c: connection, aid: count) &priority=-5
+event websocket_established(c: connection, aid: count) &priority=-5
 	{
 	local ws = c$websocket;

--- a/src/analyzer/protocol/websocket/WebSocket.cc
+++ b/src/analyzer/protocol/websocket/WebSocket.cc
@ -23,7 +23,7 @@ void WebSocket_Analyzer::Init() {
    tcp::TCP_ApplicationAnalyzer::Init();

    // This event calls back via Configure()
-    zeek::BifEvent::enqueue_websocket_handshake(this, Conn(), GetID());
+    zeek::BifEvent::enqueue_websocket_established(this, Conn(), GetID());
 }

 bool WebSocket_Analyzer::Configure(zeek::RecordValPtr config) {
--- a/src/analyzer/protocol/websocket/events.bif
+++ b/src/analyzer/protocol/websocket/events.bif
@ -11,7 +11,7 @@
 ##
 ## .. zeek:see:: WebSocket::configure_analyzer
 ##
-event websocket_handshake%(c: connection, aid: count%);
+event websocket_established%(c: connection, aid: count%);

 ## Generated for every WebSocket frame.
 ##
--- a/src/analyzer/protocol/websocket/functions.bif
+++ b/src/analyzer/protocol/websocket/functions.bif
@ -6,19 +6,19 @@ module WebSocket;

 ## Configure the WebSocket analyzer.
 ##
-## Called during :zeek:see:`websocket_handshake` to configure
+## Called during :zeek:see:`websocket_established` to configure
 ## the WebSocket analyzer given the selected protocol and extension
 ## as chosen by the server.
 ##
 ## c: The WebSocket connection.
 #
-## aid: The identifier for the WebSocket analyzer as provided to :zeek:see:`websocket_handshake`.
+## aid: The identifier for the WebSocket analyzer as provided to :zeek:see:`websocket_established`.
 ##
 ## server_protocol: The protocol as found in the server's Sec-WebSocket-Protocol HTTP header, or empty.
 ##
 ## server_extensions: The extension as selected by the server via the Sec-WebSocket-Extensions HTTP Header.
 ##
-## .. zeek:see:: websocket_handshake
+## .. zeek:see:: websocket_established
 function __configure_analyzer%(c: connection, aid: count, config: WebSocket::AnalyzerConfig%): bool
 	%{
 	auto* analyzer = c->FindAnalyzer(aid);
--- a/testing/btest/Baseline/coverage.record-fields/out.default
+++ b/testing/btest/Baseline/coverage.record-fields/out.default
@ -887,10 +887,12 @@ connection {
  * websocket: record WebSocket::Info, log=F, optional=T
      WebSocket::Info {
        * client_extensions: vector of string, log=T, optional=T
+        * client_key: string, log=F, optional=T
        * client_protocols: vector of string, log=T, optional=T
        * host: string, log=T, optional=T
        * id: record conn_id, log=T, optional=F
            conn_id { ... }
+        * server_accept: string, log=F, optional=T
        * server_extensions: vector of string, log=T, optional=T
        * subprotocol: string, log=T, optional=T
        * ts: time, log=T, optional=F
--- a/testing/btest/Baseline/scripts.base.protocols.websocket.coalesced-reply-ping/out-coalesced
+++ b/testing/btest/Baseline/scripts.base.protocols.websocket.coalesced-reply-ping/out-coalesced
@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-websocket_handshake, CHhAvVGS1DHFjwGM9, 7
+websocket_established, CHhAvVGS1DHFjwGM9, 7
 websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, ping, payload_len, 4
 websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 4, data, Zeek
 websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, pong, payload_len, 4
--- a/testing/btest/Baseline/scripts.base.protocols.websocket.coalesced-reply-ping/out-separate
+++ b/testing/btest/Baseline/scripts.base.protocols.websocket.coalesced-reply-ping/out-separate
@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-websocket_handshake, CHhAvVGS1DHFjwGM9, 7
+websocket_established, CHhAvVGS1DHFjwGM9, 7
 websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, ping, payload_len, 4
 websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 4, data, Zeek
 websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, pong, payload_len, 4
--- a/testing/btest/Baseline/scripts.base.protocols.websocket.events/out
+++ b/testing/btest/Baseline/scripts.base.protocols.websocket.events/out
@ -1,6 +1,6 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 jupyter-websocket.pcap
-websocket_handshake, CHhAvVGS1DHFjwGM9, 7, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=127.0.0.1, orig_p=40492/tcp, resp_h=127.0.0.1, resp_p=51185/tcp], host=192.168.122.182, uri=/user/christian/api/kernels/f8645ecd-0a76-4bb1-9e6e-cb464276bc69/channels?session_id=deeecee7-efc2-42a1-a7c1-e1c0569436e3, user_agent=Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/118.0, subprotocol=v1.kernel.websocket.jupyter.org, client_protocols=[v1.kernel.websocket.jupyter.org], server_extensions=<uninitialized>, client_extensions=[permessage-deflate]]
+websocket_established, CHhAvVGS1DHFjwGM9, 7, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=127.0.0.1, orig_p=40492/tcp, resp_h=127.0.0.1, resp_p=51185/tcp], host=192.168.122.182, uri=/user/christian/api/kernels/f8645ecd-0a76-4bb1-9e6e-cb464276bc69/channels?session_id=deeecee7-efc2-42a1-a7c1-e1c0569436e3, user_agent=Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/118.0, subprotocol=v1.kernel.websocket.jupyter.org, client_protocols=[v1.kernel.websocket.jupyter.org], server_extensions=<uninitialized>, client_extensions=[permessage-deflate], client_key=7K5Qx7HwJUsja5KzBhGvfQ==, server_accept=USseDip1PofjB67M6I5CNkbYbp0=]
 websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, binary, payload_len, 262
 websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 262, data, \x06\x00\x00\x00\x00\x00\x00\x008\x00\x00\x00\x00\x00\x00\x00=\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x02\x01\x00\x00\x00\x00\x00\x00\x04\x01\x00\x00\x00\x00\x00\x00\x06\x01\x00\x00\x00\x00\x00\x00shell{"date":"2023-09-29T23:25:05.568Z","msg_id":"5af8fd02-14a1-
 websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, binary
@ -44,7 +44,7 @@ websocket_frame, CHhAvVGS1DHFjwGM9, F, fin, T, rsv, 0, opcode, close, payload_le
 websocket_close, CHhAvVGS1DHFjwGM9, F, status, 0, reason, 
 websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, close
 wstunnel-http.pcap
-websocket_handshake, CHhAvVGS1DHFjwGM9, 7, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=127.0.0.1, orig_p=51102/tcp, resp_h=127.0.0.1, resp_p=8888/tcp], host=localhost:8888, uri=/v1/events, user_agent=<uninitialized>, subprotocol=v1, client_protocols=[v1, authorization.bearer.eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IjAxOGNmZWFiLWY5OWQtNzBmNy05NmFmLTBlOGJhNjk2YTFmNiIsInAiOiJUY3AiLCJyIjoiemVlay5vcmciLCJycCI6ODB9.FsquetBp_jsIDzBslWyyTPlS2hcMprVuWmbT2r57N0A], server_extensions=<uninitialized>, client_extensions=<uninitialized>]
+websocket_established, CHhAvVGS1DHFjwGM9, 7, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=127.0.0.1, orig_p=51102/tcp, resp_h=127.0.0.1, resp_p=8888/tcp], host=localhost:8888, uri=/v1/events, user_agent=<uninitialized>, subprotocol=v1, client_protocols=[v1, authorization.bearer.eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IjAxOGNmZWFiLWY5OWQtNzBmNy05NmFmLTBlOGJhNjk2YTFmNiIsInAiOiJUY3AiLCJyIjoiemVlay5vcmciLCJycCI6ODB9.FsquetBp_jsIDzBslWyyTPlS2hcMprVuWmbT2r57N0A], server_extensions=<uninitialized>, client_extensions=<uninitialized>, client_key=FdRecb4tsolqJgO+HrbUfg==, server_accept=PbXiEPoL5O2wxc6/MdNHnSOXy+c=]
 websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, binary, payload_len, 72
 websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 72, data, GET / HTTP/1.1\x0d\x0aHost: zeek.org\x0d\x0aUser-Agent: curl/7.81.0\x0d\x0aAccept: */*\x0d\x0a\x0d\x0a
 websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, binary
@ -60,7 +60,7 @@ websocket_close, CHhAvVGS1DHFjwGM9, F, status, 1000, reason,
 websocket_frame_data, CHhAvVGS1DHFjwGM9, F, len, 2, data, \x03\xe8
 websocket_message, CHhAvVGS1DHFjwGM9, F, opcode, close
 broker-websocket.pcap
-websocket_handshake, CHhAvVGS1DHFjwGM9, 7, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=127.0.0.1, orig_p=38776/tcp, resp_h=127.0.0.1, resp_p=27599/tcp], host=localhost:27599, uri=/v1/messages/json, user_agent=Python/3.10 websockets/12.0, subprotocol=<uninitialized>, client_protocols=<uninitialized>, server_extensions=<uninitialized>, client_extensions=[permessage-deflate; client_max_window_bits]]
+websocket_established, CHhAvVGS1DHFjwGM9, 7, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=127.0.0.1, orig_p=38776/tcp, resp_h=127.0.0.1, resp_p=27599/tcp], host=localhost:27599, uri=/v1/messages/json, user_agent=Python/3.10 websockets/12.0, subprotocol=<uninitialized>, client_protocols=<uninitialized>, server_extensions=<uninitialized>, client_extensions=[permessage-deflate; client_max_window_bits], client_key=E58pVwft35HPkD/MFCjtEA==, server_accept=HxOmr1a2nvOOc4Qiv7Ou3wrCsJc=]
 websocket_frame, CHhAvVGS1DHFjwGM9, T, fin, T, rsv, 0, opcode, text, payload_len, 24
 websocket_frame_data, CHhAvVGS1DHFjwGM9, T, len, 24, data, ["/zeek/event/my_topic"]
 websocket_message, CHhAvVGS1DHFjwGM9, T, opcode, text
--- a/testing/btest/Baseline/scripts.base.protocols.websocket.key-accept-wrong/websocket.log
+++ b/testing/btest/Baseline/scripts.base.protocols.websocket.key-accept-wrong/websocket.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	websocket
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	host	uri	user_agent	subprotocol	client_protocols	server_extensions	client_extensions
+#types	time	string	addr	port	addr	port	string	string	string	string	vector[string]	vector[string]	vector[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	53654	127.0.0.1	8080	localhost:8080	/	Python/3.10 websockets/12.0	v1	v1	-	permessage-deflate; client_max_window_bits
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.protocols.websocket.key-accept-wrong/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.websocket.key-accept-wrong/weird.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	53654	127.0.0.1	8080	websocket_wrong_accept_header	expected=N8ntNYkX6Qerw4tK3s/CYzpSZNc=, found=N8ntNYkX6Qerw4tK3s/CYzpSZNc=-wrong	F	zeek	WebSocket
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Traces/websocket/wrong-accept-header.pcap
+++ b/testing/btest/Traces/websocket/wrong-accept-header.pcap
--- a/testing/btest/scripts/base/protocols/websocket/coalesced-reply-ping.zeek
+++ b/testing/btest/scripts/base/protocols/websocket/coalesced-reply-ping.zeek
@ -12,9 +12,9 @@

@load base/protocols/websocket

-event websocket_handshake(c: connection, aid: count)
+event websocket_established(c: connection, aid: count)
 	{
-	print "websocket_handshake", c$uid, aid;
+	print "websocket_established", c$uid, aid;
 	}

 event websocket_frame(c: connection, is_orig: bool, fin: bool, rsv: count, opcode: count, payload_len: count)
--- a/testing/btest/scripts/base/protocols/websocket/events.zeek
+++ b/testing/btest/scripts/base/protocols/websocket/events.zeek
@ -12,9 +12,9 @@

@load base/protocols/websocket

-event websocket_handshake(c: connection, aid: count)
+event websocket_established(c: connection, aid: count)
 	{
-	print "websocket_handshake", c$uid, aid, c$websocket;
+	print "websocket_established", c$uid, aid, c$websocket;
 	}

 event websocket_message(c: connection, is_orig: bool, opcode: count)
--- a/testing/btest/scripts/base/protocols/websocket/key-accept-wrong.zeek
+++ b/testing/btest/scripts/base/protocols/websocket/key-accept-wrong.zeek
@ -0,0 +1,7 @@
+# @TEST-DOC: Test weird generation when the Sec-WebSocket-Accept socket isn't as expected.
+#
+# @TEST-EXEC: zeek -b -r $TRACES/websocket/wrong-accept-header.pcap %INPUT
+# @TEST-EXEC: btest-diff websocket.log
+# @TEST-EXEC: btest-diff weird.log
+
+@load base/protocols/websocket