The 4.2 release of the Signal Sciences agent introduces WebSocket traffic inspection, enabling customers to extend the coverage of applications, APIs, and microservices protected by Signal Sciences next-gen WAF to apps and services that utilize the WebSockets protocol. Rarely found in traditional WAF solutions, WebSocket traffic inspection and malicious request blocking is yet another example of how Signal Sciences technology stands apart and truly empowers customers to protect any app or API from any web attack. But first…

What are WebSockets?

WebSockets are an alternative communications protocol to HTTP that allows for bi-directional, real-time communication between a client and server via a persistent channel. The HTTP protocol operates in a request/response fashion, which can cause headaches (e.g. constant polling, HTTP request header overhead, etc.) when trying to implement applications that require real-time communication, e.g. a chat application or multiplayer gaming server. WebSockets are also seeing adoption in IoT (Internet of Things) services and are increasingly becoming part of the portfolio of apps and services security and devops teams must secure.

New Protocol, Same Vulnerabilities

The WebSocket protocol can be used to transmit binary and text based payloads and as such is still vulnerable to injection based attacks like SQL injection and XSS, or Cross-Site Scripting. The protocol simply ensures that a connection between a client and server persists and communications occur in real-time; bad actors can still take advantage of this protocol to transmit malicious code to steal or deface your data, or worse.

WebSocket Protection in Signal Sciences

Configuring WebSocket Inspection

The Signal Sciences agent can be configured to act as a reverse proxy, fronting your apps and APIs, and in that configuration, be set to inspect WebSocket traffic in addition to HTTP. A third party reverse proxy or load balancer isn’t required! Setting up WebSocket inspection is a straightforward two step process:

1. Deploy the Signal Sciences agent as a reverse proxy to your WebSocket app or API
2. Set the agent configuration to enable WebSocket inspection

At this point, Signal Sciences will automatically inspect any incoming WebSocket request with a text-based payload for any malicious attacks or anomalies and based on your Signal Sciences rules, flag and/or block the connection.

Creating Rules for WebSocket Traffic

Signal Sciences Power Rules provides users with a flexible way to customize what types of requests/attacks/anomalies Signal Sciences should flag and/or block without the need for regex or scripting. Parameters and values passed in WebSockets can be referenced in power rules exactly as it’s currently done for JSON POST bodies sent over HTTP. The official documentation provides an example and details of how this is accomplished in the Signal Sciences console.

Blocking Malicious WebSocket Traffic

Signal Sciences Power Rules provide the ability to specify an action when a request is seen that matches the conditions in the rule. Typical actions for requests that match a rule are allow, tag, and/or block. WebSocket inspection takes advantage of the same actions:  when a “block” action is effected, Signal Sciences will close the connection.

As application development teams continue to move fast in an effort to deliver the best experiences possible to their customers, it’s incumbent upon them to adopt new technologies that make that outcome possible. Signal Sciences is devoted to ensuring Security teams aren’t left behind and have the best tools on hand to protect the applications their dev teams are building and improving upon every day. Interested in learning more? Sign up for a demo!