WebSocket security encompasses the threats, vulnerabilities, and defensive measures specific to the WebSocket protocol. Unlike traditional HTTP request-response communication, WebSockets establish a persistent, full-duplex connection between the client and server, allowing both sides to send data at any time. This persistent nature introduces unique security challenges that differ from standard web application vulnerabilities and are frequently overlooked during security reviews.
How It Works
A WebSocket connection begins with an HTTP upgrade handshake. The client sends a regular HTTP request with an Upgrade: websocket header, and the server responds with a 101 Switching Protocols status to establish the connection. From that point, communication occurs over a persistent TCP connection using the WebSocket framing protocol rather than HTTP. This handshake is the critical point where authentication and authorization must be enforced, because once the connection is upgraded, the HTTP layer's security mechanisms no longer apply automatically.
Cross-site WebSocket hijacking (CSWSH) is one of the most significant WebSocket-specific vulnerabilities. Because the WebSocket handshake is an HTTP request, it automatically includes cookies. If the server does not validate the Origin header during the handshake, an attacker's malicious page can establish a WebSocket connection to the target application using the victim's authenticated session. This is analogous to cross-site request forgery but affects the persistent WebSocket channel.
Authorization checks on WebSocket messages require careful implementation. In HTTP applications, each request passes through middleware that enforces access controls. With WebSockets, messages flow through the persistent connection without automatic middleware processing. Developers must explicitly validate permissions for each message type, ensuring that a user who is authorized to read data cannot use the same connection to perform administrative actions or access other users' data.
Why It Matters
WebSocket endpoints represent an expanding attack surface as real-time features become standard in modern applications. Chat systems, live notifications, collaborative editing, and financial data feeds all rely on WebSockets. Security assessments that focus exclusively on REST APIs miss the unique vulnerabilities present in WebSocket implementations, including injection through message content, missing authorization on message handlers, and cross-site connection hijacking.
Need your application tested? Get in touch.