Looking into WebSocket Traffic in HAR Capture

PublishTime： 2022-07-29 Article Source：Keysight

WebSocket is an application layer communication protocol (RFC 6455) that establishes a persistent full-duplex communication channel over the web. This allows both the client and server to transfer data simultaneously. This protocol is mainly used to create transport tunnels for other non-HTTP protocols used in applications such as messaging, video conferencing, and multiplayer games.

WebSocket is basically a feature within HTTP that offers additional functions and benefits for web applications. It uses an HTTP connection upgrade to tunnel other application data like MQTT, WebRTC, etc.

WebSocket is just like HTTP protocol for client-server communication but offers some extra features like:

WebSocket is particularly used in websites where the client needs constant updates from the server. If HTTP was to be used in this case, the client had to flood the server with requests for information and each request would be part of a different connection. But with WebSocket, once a connection is established, it can stay persistent till one of the parties closes it, and the server can constantly feed the client with information.

WebSocket Messages in HAR Capture:

If any HAR "entries" contains a WebSocket frame, then the "_resourceType" field (i.e., the type of resources to be loaded) inside that entry is set as "WebSocket" and the actual WebSocket messages are present inside the "_webSocketMessages" field.

The image below illustrates how WebSocket works -

A WebSocket communication is initiated through an HTTP connection upgrade. Here the client sends an HTTP/1.1 GET request to the server saying that it wants to open a WebSocket connection. This request contains different WebSocket-specific headers like

"Connection: Upgrade" and "Upgrade: WebSocket" indicate that the client is asking the server to upgrade the connection to a WebSocket connection.

"Sec-WebSocket-Version" indicating the WebSocket version to be used

"Sec-WebSocket-Key" is used by the server to create "Sec-WebSocket-Accept”

Note: WebSocket URIs do not use http:// or https:// scheme. It always uses a new scheme called ws:// or wss:// (for secure WebSocket) to establish a WebSocket connection.

In the HAR file, a typical WebSocket handshake (client) request looks like this –

Here, all the WebSocket-specific headers like "Upgrade", "Connection", "Sec-WebSocket-Key", "Sec-WebSocket-Version", and URI which start with the "wss://" scheme, etc are present in key-value pairs inside that HAR entry.

If the server accepts the WebSocket connection request, it replies with an HTTP response with status code 101 (Switching Protocols). The response header contains some specific headers like –

"Upgrade: WebSocket" and "Connection: Upgrade" indicate that the protocol change is approved by the server.

"Sec-WebSocket-Accept" indicates that the server is ready to initiate the WebSocket communication with the client.

Note: Anything other than response status code 101 indicates that the WebSocket handshake is not completed.

In the HAR file, the server handshake response looks like this –

In a HAR capture, the WebSocket response-related information like "Sec-WebSocket-Accept", "Connection: Upgrade", "Upgrade: WebSocket" etc are present in key-value pairs inside that HTTP response header. Also, the "status", "statusText" and "httpVersion" must be set as "101", "Switching Protocols" and "HTTP/1.1" respectively.

When the HTTP handshake is completed, the actual data transfer starts between the client and the server in full duplex mode. In the HAR file, the actual WebSocket messages are present inside the "_webSocketMessages[]" array inside HAR "entries" field. Please see the below image -

Inside the array, each WebSocket frame contains several tags like –

type – direction of the WebSocket messages transferring between client to server (send) or server to client (receive)

time – time in EPOCH format when the data is transferred over WebSocket

opcode - the frame type of the WebSocket frame

data – the actual payload transferring over the WebSocket protocol

WebSocket Support in BreakingPoint HAR Simulation

Keysight has added the support for WebSocket in our new BPS features HTTP Archive Record (HAR) Simulation and it is released in ATI-2022-15 StrikePack. Now, if a HAR capture contains any WebSocket session, then it will be simulated through HAR Simulation and can be encrypted by both TLS 1.2 and TLS 1.3.

We have also added 2 new HAR simulation superflows which contain WebSocket sessions –

1. Quora WebSocket HAR Replay over TLS1.2

This simulates the WebSocket session in the HAR collected from the user chat function of the Quora webpage as of June 2022. This WebSocket session is initiated via HTTP1.1 connection upgrade over a single TCP connection encrypted by TLS1.2.

2. Quora WebSocket HAR Replay over TLS1.3

Leverage Subscription Service to Stay Ahead of Attacks

Keysight's Application and Threat Intelligence subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously monitors threats as they appear in the wild. Customers of BreakingPoint now have access to attack campaigns for different advanced persistent threats, allowing them to test their currently deployed security controls' ability to detect or block such attacks.

+1 Like
Add to Favorites

Recommend

Selection Guide

More>

Technical Resources

More>

New Products & Solutions

More>

This document is provided by Sekorm Platform for VIP exclusive service. The copyright is owned by Sekorm. Without authorization, any medias, websites or individual are not allowed to reprint. When authorizing the reprint, the link of www.sekorm.com must be indicated.

Integrated Circuits