| WebSocket as a client and server asynchronous full-duplex communication scheme were introduced in HTML5,which widely used in server-push, real-time communications and other fields. But the WebSocket protocol is not authenticate the user which request for connection,so the connection has risk of been cross site hijacked. Attacker could exploit the vulnerability to pretend to be a user's identity and establish malicious connections.Based on thoroughly analyze the standard protocol and its security of connection handshake and data transmission, this paper discuss the issue which disguise user's identify or hijack the connection without user's knowledge, propose a defense strategy which construct a security subprotocol called wsguard of WebSocket. Then analyzes the theoretical feasibility security of subprotocol and design the syntax, semantics and timing sequence, the core is identity authentication and data transmission mechanism. The subprotocol wsguard guarantee the security of data and can be well solved the risk of cross site hijacking in WebSocket via use the hybrid encryption algorithm to negotiate the key,transfer identity authentication information and verify the identity of the client when handle connection request and parse data.According to the design of protocol, it is implemented based on the Node platform via a sample system. In order to verify the effectiveness of subprotocol, it is configured in the existing open source project, scan and attack it by vulnerability testing tool such as Iron WASP and Burp Suite, then compare with the test results and analysis,it is proved that the sub-protocol can significantly improve the security of WebSocket, and has no significant impact on the application response time, in line with the expected demand. |
PDF Full Text Request