Inspecting WebSocket frames in an undetectable way

by

Intercepting the WebSocket data is easy. Simply execute the following script before the page constructs the WebSocket. This snippet monkey-patches the WebSocket constructor: When a new WebSocket constructor is created, the snippet subscribes to the message event, from where you can do whatever you want with the data.

This snippet is designed to be indistinguishable from native code so the modification cannot easily be detected by the page (however, see the remarks at the end of this post).

(function() {
    var OrigWebSocket = window.WebSocket;
    var callWebSocket = OrigWebSocket.apply.bind(OrigWebSocket);
    var wsAddListener = OrigWebSocket.prototype.addEventListener;
    wsAddListener = wsAddListener.call.bind(wsAddListener);
    window.WebSocket = function WebSocket(url, protocols) {
        var ws;
        if (!(this instanceof WebSocket)) {
            // Called without 'new' (browsers will throw an error).
            ws = callWebSocket(this, arguments);
        } else if (arguments.length === 1) {
            ws = new OrigWebSocket(url);
        } else if (arguments.length >= 2) {
            ws = new OrigWebSocket(url, protocols);
        } else { // No arguments (browsers will throw an error)
            ws = new OrigWebSocket();
        }

        wsAddListener(ws, 'message', function(event) {
            // TODO: Do something with event.data (received data) if you wish.
        });
        return ws;
    }.bind();
    window.WebSocket.prototype = OrigWebSocket.prototype;
    window.WebSocket.prototype.constructor = window.WebSocket;

    var wsSend = OrigWebSocket.prototype.send;
    wsSend = wsSend.apply.bind(wsSend);
    OrigWebSocket.prototype.send = function(data) {
        // TODO: Do something with the sent data if you wish.
        return wsSend(this, arguments);
    };
})();

In a Chrome extension, the snippet can be run via a content script with run_at:'document_start', see Insert code into the page context using a content script.

Firefox also supports content scripts, the same logic applies (with contentScriptWhen:'start').

Note: The previous snippet is designed to be indistinguishable from native code when executed before the rest of the page. The only (unusual and fragile) ways to detect these modifications are:

  • Pass invalid parameters to the WebSocket constructor, catch the error and inspecting the implementation-dependent (browser-specific) stack trace. If there is one more stack frame than usual, then the constructor might be tampered (seen from the page’s perspective).

  • Serialize the constructor. Unmodified constructors become function WebSocket() { [native code] }, whereas a patched constructor looks like function () { [native code] } (this issue is only present in Chrome; in Firefox, the serialization is identical).

  • Serialize the WebSocket.prototype.send method. Since the function is not bound, serializing it (WebSocket.prototype.send.toString()) reveals the non-native implementation. This could be mitigated by overriding the .toString method of .send, which in turn can be detected by the page by a strict comparison with Function.prototype.toString. If you don’t need the sent data, do not override OrigWebSocket.prototype.send.

More Related Contents:

  1. Can a site invoke a browser extension?
  2. Chrome extension that enables chatting with users on same page [closed]
  3. Use a content script to access the page context variables and functions
  4. Chrome Extension Message passing: response not sent
  5. “Cannot read property of undefined” when using chrome.tabs or other chrome API in content script
  6. How to import ES6 modules in content script for Chrome Extension
  7. How to detect page navigation on YouTube and modify its appearance seamlessly?
  8. Chrome Extension how to send data from content script to popup.html
  9. How do I auto-reload a Chrome extension I’m developing?
  10. Injecting JS functions into the page from a Greasemonkey script on Chrome
  11. Chrome extension: How to remove orphaned script after chrom extension update
  12. Check if user has a third party Chrome extension installed
  13. Loading external javascript in google chrome extension
  14. How to keep Google Chrome Extension popup open?
  15. How to properly handle chrome extension updates from content scripts
  16. Does extension messaging like chrome.runtime.sendMessage internally use JSON.stringify?
  17. chrome.storage.local.get and set [duplicate]
  18. How to detect the installed Chrome version?
  19. Access variables and functions defined in page context using a content script
  20. Why is document.execCommand(“paste”) not working in Google Chrome?
  21. How can I save information locally in my chrome extension?
  22. How to get the currently opened tab’s URL in my page action popup?
  23. Cross-Origin XMLHttpRequest in chrome extensions
  24. How to get errors stack trace in Chrome extension content script?
  25. Getting selected text in a Chrome extension
  26. tabs.executeScript – passing parameters and using libraries?
  27. Pass a variable from content script to popup
  28. Store an array with chrome.storage.local
  29. How to develop Chrome extension for Gmail?
  30. How to to initialize keyboard event with given char/keycode in a Chrome extension?

Leave a Comment