Hello, welcome to the Tuesday, January 10th, 2017 edition of the Sandsenet Storm Center's Stormcast. My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida. Over the last few years, web browsers implemented a new JavaScript

API for WebSockets. Now, WebSockets allow bidirectional communication with web servers, and the

secured impact of WebSockets isn't always well understood. One of the better ways to learn about

new features like this and to explore different vulnerabilities and attacks is typically just,

well, to experiment, to have some real-world code that you can play with.

And for Web Sockets, we now have Damn Vulnerable Web Sockets.

That's a little PHP web applications that demonstrates various vulnerabilities in web sockets.

It's a little bit similar to the damn vulnerable web application that of course

does implement more of the traditional vulnerabilities. To run it, you need Apache, PHP, MySQL. So

nothing really all that fancy in PHP itself, of course. You also need support to connect to MySQL via the MySQL I library, which, as far as I may wear,

all major Linux distributions installed sort of by default or in Windows, probably something

like XAMP or so will allow you to install all of this very easily.

So if you are a developer or a pen tester, take a look at the Git Repar

Story and the link you'll find in the show notes. One of the big news stories last year was

a vulnerability in defibrillators and pacemakers made by St. Jude Medical. Now the vulnerability

allowed an attacker to remotely manipulate

these devices and seriously affect the health or even kill a patient that had one of these devices

implanted. Today, Sanjude released a patch for these devices. It should be rolled out automatically. Now, one reason

this particular vulnerability made so many headlines was also that the company that released

details about the vulnerability got together with an investment company that took a short

position in Sanjude Medical in order to financially gain from this

...