Click here to load reader

Ijaws2014 - websockets, elb and security

  • View
    1.812

  • Download
    0

Embed Size (px)

Text of Ijaws2014 - websockets, elb and security

  • websocketselastic load balancer

    Sergio @ coursebase.co

  • New analytics features

  • Before

    After (engine=websocket)

    X-Forwarded-For: Ip, Ip, ...

    X-Forwarded-For: Ip, Ip, ...

  • PROXY protocol (30/07/2013)1) Read ELB doc for enable with aws elb

    PROXY PROTOCOL (TCP4 or TCP6)remoteAddress (1.1.1.1)proxyAddress (2.2.2.2)remotePort (34567)proxyPort (80)\r\n

    2) Use a library in your API to retrieve this information

    Note: socket.io engine polling requires Sticky Session

  • Big picture

    elbip:443SSL

    ec2ip:80PROXY

    +

    HTTP

    @TODO Use SPDY (move SSL into API)

  • Is your ec2ip:80 visible ?

  • Proof of concept$ cat proxy.txt

    PROXY TCP4 ijaws2014 ec2ip 80 80\r\nGET /x/ HTTP/1.1\r\nUser-Agent: curl/7.35.0\r\nHost: ec2ip\r\nAccept: */*\r\n\r\n\r\n$ cat proxy.txt | nc ec2ip 80

  • ElasticSearch - @ip spoofed

    ?

  • OWASP Top 10 (2013)A01 - InjectionA02 - Broken Authentication and Session ManagementA03 - Cross-Site Scripting (XSS)A04 - Insecure Direct Object ReferencesA05 - Security MisconfigurationA06 - Sensitive Data ExposureA07 - Missing Function Level Access ControlA08 - Cross-Site Request Forgery (CSRF)A09 - Using Components with Known VulnerabilitiesA10 - Unvalidated Redirects and Forwards

  • AWS Security rules

    (dont hardcode ips, use security groups)

  • Questions?Sergio @ coursebase.co