socket.io
socket.io copied to clipboard
socketio
Getting unexpected messages from some clients
I'm using Engine.IO in my application primarily as a WebSocket wrapper with a long-polling fallback to work around firewalls.
My server is a Node.JS script that uses Engine.IO 6.5.0 and the client is a website that uses Engine.IO-Client 6.5.0.
All packets are sent by client and server in binary format.
Client is sending data like this:
const socket = new eio("wss://example.com", {transports: ["polling", "websocket"]});
socket.binaryType = "arraybuffer";
socket.on("open", () => {
const data = new Uint8Array(48);
// fill data with known values
socket.send(data);
});
Server is receiving data like this:
const eio = EngineIO.attach(server, {
transports: ["polling", "websocket"],
cors: {
origin: "*",
methods: "GET,HEAD,PUT,PATCH,POST,DELETE"
}
});
eio.on("connection", (socket) => {
// ...
socket.once("message", (msg) => {
assert(Buffer.isBuffer(msg));
assert(msg.length === 48);
const foo = msg.subarray(...);
// ...
});
});
Almost every client is sending and receiving messages correctly (I get 48 bytes and msg is a Buffer).
However, every day I get 1-2 clients that are sending something unexpected.
In the socket.once("message") callback, the msg that these clients send is ALWAYS:
- A
Uint8Arrayinstead ofBufferorString - Has a
lengthof 1 instead of 48 - Contains
[0x08]instead of my data
The user agents of these clients are:
- Mozilla/5.0 (PlayStation Vita 3.74) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2
- Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.3.2163 Mobile Safari/537.35+
- Mozilla/5.0 (SMART-TV; Linux; Tizen 2.4.0) AppleWebkit/538.1 (KHTML, like Gecko) SamsungBrowser/1.1 TV Safari/538.1
Hi! Do you think these are real clients trying to reach your application, or rather malicious clients sending junk?
A Uint8Array instead of Buffer or String
This one is weird though, the data should always be either a Buffer or a string. I'm digging into this.
I think it's extremely unlikely that these are fake or malicious clients. The access log also checks out so I think they are real.
Here are the unique user agents of all the clients that do this so far:
Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.3.3216 Mobile Safari/537.35+
Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.3.2163 Mobile Safari/537.35+
Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53
Mozilla/5.0 (Linux; Tizen 2.4; SAMSUNG SM-Z200F) AppleWebKit/537.3 (KHTML, like Gecko) SamsungBrowser/1.1 Mobile Safari/537.3
Mozilla/5.0 (Linux; Tizen 2.4; SAMSUNG SM-Z200Y) AppleWebKit/537.3 (KHTML, like Gecko) SamsungBrowser/1.1 Mobile Safari/537.3
Mozilla/5.0 (Linux; U; Android 2.0; en-us;) AppleWebKit/538.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/538.1 (Kobo Touch 0376/4.37.21586)
Mozilla/5.0 (Linux; U; Android 2.0; en-us;) AppleWebKit/538.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/538.1 (Kobo Touch 0377/4.37.21533)
Mozilla/5.0 (Linux; U; Android 2.0; en-us;) AppleWebKit/538.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/538.1 (Kobo Touch 0377/4.37.21586)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0) Gecko/20100101 Firefox/10.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/600.7.12 (KHTML, like Gecko) Version/7.1.7 Safari/537.85.16
Mozilla/5.0 (PlayStation Vita 3.73) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2
Mozilla/5.0 (PlayStation Vita 3.74) AppleWebKit/537.73 (KHTML, like Gecko) Silk/3.2
Mozilla/5.0 (SMART-TV; Linux; Tizen 2.3) AppleWebkit/538.1 (KHTML, like Gecko) SamsungBrowser/1.0 TV Safari/538.1
Mozilla/5.0 (SMART-TV; Linux; Tizen 2.4.0) AppleWebkit/538.1 (KHTML, like Gecko) SamsungBrowser/1.1 TV Safari/538.1
In every case, I get a Uint8Array in the socket.on("message") callback.
It always has a length of 1, and the only element is always 8.
I don't know if any other messages come because I disconnect the client if the message is not a Buffer.