hacking websockets

28
HACKING WEBSOCKETS FOR FUN AND PROFIT @tomekcejner 2015 / SmartRecruiters Inc.

Upload: tomek-cejner

Post on 22-Jan-2018

2.198 views

Category:

Software


0 download

TRANSCRIPT

Page 1: Hacking websockets

HACKING WEBSOCKETSFOR FUN AND PROFIT

@tomekcejner 2015 / SmartRecruiters Inc.

Page 2: Hacking websockets

WHAT

REALTIME COMMUNICATION FULL DUPLEX LOW LATENCY

Page 3: Hacking websockets

FOR

SOCIAL FEEDS CHAT

COMMON EDITING MONITORING

Page 4: Hacking websockets

COMPARING TECHNIQUESBROWSER SERVER

Page 5: Hacking websockets

POLLINGBROWSER SERVER

EVENT

EVENT

Page 6: Hacking websockets

POLLING

SIMPLE ALWAYS WORKS HIGH TRAFFIC HIGH LATENCY

Page 7: Hacking websockets

LONG POLLINGBROWSER SERVER

EVENT

Page 8: Hacking websockets

LONG POLLING

NEAR-REALTIME VERY LONG REQUESTS WILL BLOCK THREADS

NEEDS STICKY LOADBALANCING

Page 9: Hacking websockets

STREAMINGBROWSER SERVER

EVENT

EVENT

RESPONSE PART

RESPONSE PART

Page 10: Hacking websockets

STREAMING

NEAR REALTIME BUFFERING PROXY WILL RUIN

Page 11: Hacking websockets

WEBSOCKETSBROWSER SERVER

EVENT

EVENT

UPGRADE

Page 12: Hacking websockets

WEBSOCKETS

REALTIME DUPLEX

SUPPORTED BY LATEST BROWSERS MAY BE BROKEN BY SOME PROXIES

Page 13: Hacking websockets

CAN I USE?

http://caniuse.com/#feat=websockets

Page 14: Hacking websockets

WEBSOCKETS API

Page 15: Hacking websockets

var socket = new WebSocket('ws://game.example.com:12010/updates');socket.onopen = function () { setInterval(function() { if (socket.bufferedAmount == 0) socket.send(getUpdateData()); }, 50);};

Page 16: Hacking websockets

EMITTING MESSAGES

SEND TEXT OR BINARY FRAME LOW OVERHEAD: 2 BYTES PER FRAME

Page 17: Hacking websockets

TEXT FRAME

0x81 0x05 0x48 0x65 0x6c 0x6c 0x6f

H e l l o

Page 18: Hacking websockets
Page 19: Hacking websockets

JAVASCRIPT WEBSOCKETS FRAMEWORK

CLIENT WITH FALLBACKS NODE.JS SERVER

Page 20: Hacking websockets

CODE

var app = require('express')();var server = require('http').Server(app);var io = require('socket.io')(server);

server.listen(80);

app.get('/', function (req, res) { res.sendfile(__dirname + '/index.html');});

io.on('connection', function (socket) { socket.emit('news', { hello: 'world' }); socket.on('my other event', function (data) { console.log(data); });});

<script src="/socket.io/socket.io.js"></script><script> var socket = io.connect('http://localhost'); socket.on('news', function (data) { console.log(data); socket.emit('my other event', { my: 'data' }); });</script>

CLIENTSERVER

Page 21: Hacking websockets

CHALLENGES

STATEFULNESS SCALABILITY

BROADCASTING

Page 22: Hacking websockets

BROADCASTINGio.on('connection', function(socket){ socket.join('some room');});

io.to('some room').emit('some event'):

io.on('connection', function(socket){ socket.on('say to someone', function(id, msg){ socket.broadcast.to(id).emit('my message', msg); });});

Page 23: Hacking websockets

MULTIPLE NODES

Node ACLIENT 1

CLIENT 2

Node B

CLIENT 3

CLIENT 4

?

Page 24: Hacking websockets

SCALING

https://github.com/socketio/socket.io-redis

Page 25: Hacking websockets

RESOURCEShttp://socket.io

Socket.IO Swift client https://github.com/socketio/socket.io-client-swift

Benefits of Web Sockets https://www.websocket.org/quantum.html

Web Sockets API http://dev.w3.org/html5/websockets/

Web Sockets RFC https://tools.ietf.org/html/rfc6455

Difference between polling, long polling and web sockets explained: http://stackoverflow.com/questions/10028770/html5-websocket-vs-long-polling-vs-ajax-

vs-webrtc-vs-server-sent-events

http://stackoverflow.com/questions/11077857/what-are-long-polling-websockets-server-sent-events-sse-and-comet

Page 26: Hacking websockets

THANK YOU

That’s all

Page 27: Hacking websockets

BONUS CONTENT

Page 28: Hacking websockets

TRACKING USERS IN REDS

SADD mob:online:7501234 55e83ebae4b00f589364debd

SISMEMBER mob:online:7501234 55e83ebae4b00f589364debd

SMEMBERS mob:online:7501234