WebRTC Penetration Testing

what is WebRTC?

WebRTC is an open framework being standardised by the W3C and the IETF that enables Real-Time Communication (RTC) directly between web browsers. There are no extra browser plugins required for WebRTC.

WebRTC enables direct media-rich RTC applications such as real-time audio and video calls, web conferencing and P2P direct data transfer using native browser technology.

WebRTC supports both peer-to-peer (P2P) communication as well as communication which requires NAT or firewall traversal by leveraging technologies such as STUN, TURN, ICE and RTP proxies. Furthermore, WebRTC abstracts signalling, permitting developers to choose the signalling protocol (WebSockets, XMLHttpRequest, SIP, XMPP).

What is WebRTC penetration testing?

The major difference between most real-time systems (e.g. SIP), WebRTC communications are directly controlled by some Web server, via a JavaScript API.

The prospect of enabling embedded audio and visual communication in a browser without plugins is marvellous. However, this obviously uplifts the concerns over the security and whether it can be trusted to provide reliable communication for both the end-users and any intermediary carriers or third parties is often questionable.  Penetration Testing and finding out the security gaps is therefore paramount.

WebRTC PenTesting

The Scope of WebRTC pen testing

  • SIP vulnerabilities and misconfigurations (extension enumeration, online password cracking, SIP digest leak)
  • Injection vulnerabilities in SDP descriptions and custom signalling protocols
  • Eavesdropping on other ongoing audio and/or video streams
  • DTLS denial of service, certificate handling, insecure ciphers and data disclosure vulnerabilities
  • Message parsing vulnerabilities, especially affecting custom signalling protocols
  • TURN and RTP proxy server misconfigurations
  • Transcoding vulnerabilities, generally causing denial of service and remote code execution.

WebRTC Attack Methodology

WebRTC Enumeration

The WebRTC servers that the phones are communicating with and classify systems by giving an IP address or a range of IP addresses. Enumerate the type of SIP requests. It is done by our expert penetration testers who have in-depth knowledge in the VoIP Pen Testing.

WebRTC call relaying – intruders can make calls for free at victim company’s expense. It is a way evading the dial-plan security systems.

WebRTC Protocols Analysis

Session Description Protocol (SDP) Protocol

Interactivity Connectivity Establishment (ICE) Protocol

Session Traversal Utilities for NAT Protocol

Traversal Using Relays around NAT Protocol.

MiTM Attacks

If the intruder is able to intercept the initial SIP messages, then Man-in-the-Middle-Attack (MiTM) is bound to happen.

Replay attack

Captured packets could be replayed to the server by a malicious intruder, causing the server to call the original destination of a call. It would possibly take the form of a second unsolicited call request, identical to one the party had already received. Although security breach, the intruder would not be part of the call, as their IP data does not get logged in the signalling packets.

Session hijacking

Web servers are not stateful, with each request served a separate session (alleviates the need for continuously authenticating). Cookies for authentication, however nothing more than a data file containing the session ID. These cookies are sent by the webserver to the browser upon initial foothold.

TURN and RTP Proxy Server Pen Testing

TURN and RTP Proxy Server Pen Testing

Re-Testing

After patching the defects, we perform an in-depth reassessment to ensure there are no vulnerabilities.

We ensure that the patches did not inject any additional vulnerabilities as well.