WebRTC Penetration Test
WebRTC is an open framework being standardised by the W3C and the IETF which enables Real Time Communication (RTC) directly between browsers without the need for browser plugins. WebRTC supports both peer-to-peer (P2P) communication as well as communication which requires NAT or firewall traversal by leveraging technologies such as STUN, TURN, ICE and RTP proxies. Furthermore, WebRTC abstracts signalling, allowing developers to choose the signalling protocol (WebSockets, XMLHttpRequest, SIP, XMPP…) that best suits their application.
WebRTC enables direct media-rich RTC applications such as real-time audio and/or video calls, web conferencing and P2P direct data transfer using native browser technology. However, the infrastructure to support these applications is typically complex, mission critical and the perfect breeding ground for vulnerabilities and misconfigurations.
Similar to other RTC applications like VoIP, attacks on WebRTC infrastructure can range from service outages as a result of Denial of Service attacks, to malicious users eavesdropping on confidential communications, and may even escalate to compromise of the WebRTC server infrastructure itself.
At Enable Security, we have unique experience in testing the security of WebRTC infrastructure. We have developed internal specialized tools such as SIPVicious PRO, which supports technologies used in WebRTC, and fuzzers which gives us the competitive advantage.
What do we cover?
The scope of a WebRTC penetration test will largely depend on the WebRTC stack being used. The following are some common attack targets that are often part of a WebRTC pentest:
- SIP vulnerabilities and misconfigurations (extension enumeration, online password cracking, SIP digest leak)
- Injection vulnerabilities in SDP descriptions and custom signalling protocols
- Eavesdropping on other ongoing audio and/or video streams
- DTLS denial of service, certificate handling, weak ciphers and information disclosure vulnerabilities
- Message parsing vulnerabilities, especially affecting custom signalling protocols
- TURN and RTP proxy server misconfigurations (e.g. abuse of coturn)
- Transcoding vulnerabilities, typically leading to denial of service or code execution
The following are some of the techniques that are typically employed in our WebRTC pentest methodology:
- SIP vulnerability testing, when SIP is being used for signalling
- Denial of Service testing for different components of the WebRTC stack (signalling, DTLS, media, TURN…)
- RTP bleed and RTP injection testing
- TURN proxy abuse testing
- Mutational fuzzing to find unexpected denial of service and code execution vulnerabilities
- Authentication bypass testing
- SQL injection, LDAP injection, blind cross-site scripting (XSS) and other types of injection
- RTP and SRTP flooding, especially targeting recording systems
How does the process look like?
Most of our engagements follow these steps:
- First step is that you contact us, so that discussions on what you have in mind take place to identify the goals for the exercise and the scope
- With your help, we perform a scoping exercise to better understand the size of the project
- We provide you with our proposal which describes the goals, the scope, the methodology, deliverables, dates allocated for the project, terms and conditions and the price
- The actual work takes place during the allocated dates; your IT staff involved in the project often need to be available during the tests
- Upon completing our work, we provide you with our technical and executive reports in addition to any other deliverables
- Testing of the security fixes finally takes place, and the reports are updated to reflect results from the retest
What are the deliverables?
At the end of the project, we provide the following:
- Executive report, which is an easy to follow 4 page document that includes:
- information about the penetration test
- list of the findings rated by severity
- a summary of the results, giving our honest impression of the system
- our suggestions on what needs to be done to address the vulnerabilities found and prevent similar ones in the future
- Detailed technical report, which includes the following sections:
- Introduction, which describes the scope, methodology and purpose of the work
- Findings and recommendations, each categorized according to vulnerability severity
- Methodology, which describes our tests to explain what was covered and how; this would include both tests that led to vulnerability discoveries, and also those that did not
- Other material is often provided such as:
- Dedicated exploit code and tools to reproduce the security issues found
- Conference calls and online chats to brief the involved executives and technical teams on our findings
- Assistance with addressing the vulnerabilities found
- Follow-up tests once security fixes have been applied
What costs can one expect?
Prices for similar penetration tests start at 8000 EUR. Cost is dependent on the size and complexity of the system on test and the level of rigour in which testing is to be performed. This is determined through pre-sale client discussions and scoping questionnaires. The price of an engagement will be delivered as a fixed bid quote.