Kingdom: Security Features

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

ASP.NET Bad Practices: Compression Over Encrypted WebSocket Connection

C#/VB.NET/ASP.NET

Abstract

The application enables dangerous compression.

Explanation

The application uses code that enables the permessage-deflate WebSocket extension which allows for compression over encrypted connections. Enabling this type of compression makes the application subject to the CRIME and BREACH type of attacks.

Example 1: The following code sets DangerousEnableCompression to true in order to enable the 'per-message-deflate' extension:


    app.Run(async context => {
        using var websocket = await context.WebSockets.AcceptWebSocketAsync(new WebSocketAcceptContext() { DangerousEnableCompression = true });
        await websocket.SendAsync(...);
        await websocket.ReceiveAsync(...);
        await websocket.CloseAsync(WebSocketCloseStatus.NormalClosure, null, default);
    });

Example 2: The following code uses DangerousDeflateOptions to set the options for the 'per-message-deflate' extension:


    using ClientWebSocket ws = new() {
        Options = {
            CollectHttpResponseDetails = true,
            DangerousDeflateOptions = new WebSocketDeflateOptions() {
                ClientMaxWindowBits = 10,
                ServerMaxWindowBits = 10
            }
        }
    };

References

[1] WebSocketAcceptContext DangerousEnableCompression Property, Microsoft

[2] ClientWebSocketOptions DangerousDeflateOptions Property, Microsoft

[3] CRIME, CVE

[4] BREACH, CVE

[5] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[6] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 9.1.1 Communications Security Requirements (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3)

[12] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[14] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II, APP3150.1 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II, APP3150.1 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II, APP3150.1 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II, APP3150.1 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II, APP3150.1 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II, APP3150.1 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II, APP3150.1 CAT II

desc.semantic.dotnet.asp_dotnet_bad_practices_compression_over_encrypted_websocket_connection