Skip to content

Commit

Permalink
Publish Latest 2024-12-17
Browse files Browse the repository at this point in the history 
Updates based on OWASP/wstg@5b47731
  • Loading branch information
@wstgbot
wstgbot committed Dec 17, 2024
1 parent c458f48 commit 16720a7
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion ...eb_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ Traditionally, the HTTP protocol only allows one request/response per TCP connec

### Origin

It is the server’s responsibility to verify the [`Origin` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin) in the initial HTTP WebSocket handshake. If the server does not validate the origin header in the initial WebSocket handshake, the WebSocket server may accept connections from any origin. This could allow attackers to communicate with the WebSocket server cross-domain allowing for CSRF-like issues. See also [Top 10-2017 A5-Broken Access Control](https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control).
It is the server’s responsibility to verify the [`Origin` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin) in the initial HTTP WebSocket handshake. If the server does not validate the origin header in the initial WebSocket handshake, the WebSocket server may accept connections from any origin. This could allow attackers to communicate with the WebSocket server cross-domain allowing for CSRF-like issues. See also [Top 10-2017 A5-Broken Access Control](https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control). The exploit for this weakness is called Cross-Site Websocket Hijacking (CSWH or CSWSH).

### Confidentiality and Integrity

Expand Down Expand Up @@ -85,6 +85,7 @@ Gray-box testing is similar to black-box testing. In gray-box testing, the pen-t
- [HTML5 Rocks - Introducing WebSockets: Bringing Sockets to the Web](https://www.html5rocks.com/en/tutorials/websockets/basics/)
- [W3C - The WebSocket API](https://html.spec.whatwg.org/multipage/web-sockets.html#network)
- [IETF - The WebSocket Protocol](https://tools.ietf.org/html/rfc6455)
- [CWE-1385: Missing Origin Validation in WebSockets](https://cwe.mitre.org/data/definitions/1385.html)
- [Christian Schneider - Cross-Site WebSocket Hijacking (CSWSH)](https://www.christian-schneider.net/blog/cross-site-websocket-hijacking/)
- [Robert Koch- On WebSockets in Penetration Testing](https://repositum.tuwien.at/retrieve/21955)
- [DigiNinja - ZAP and Web Sockets](https://digi.ninja/blog/zap_web_sockets.php)

0 comments on commit 16720a7

Please sign in to comment.