The development of WWW applications has made it increasingly necessary to implement solutions that allow asynchronous data exchange between the client and the web server. One of the proposed solutions was the use of the “long polling” technique; later on, AJAX came into the world of web browsers. The applied approaches seemed sufficient, but there was still place for improvement of the techniques used. This was particularly justifiable by the fact that there was a lack of methods for truly asynchronous communication where, once a connection was established, any party to the communication could decide at which point it would like to send a data packet. To meet this need, the WebSocket protocol was created.
As with most new technologies, there are specific security risks associated with WebSocket. In order to direct attention to them, I had prepared the text that was published in the “Programista” 9/2016 magazine. The reader may learn from him, among other things:
- How does WebSocket work?
- What is the security of data transferred using this protocol?
- What are the risks associated with using WebSocket (bypass authentication, bypass authorization, Same Origin Policy issues, injections, server resource exhaustion, and more).
- How to test applications using WebSocket with OWASP Zaproxy.
At the end of this article the reader will find a list of questions that should be asked during the security review of the application based on WebSocket.
Update Feb 2, 2017: This article was published on sekurak.pl.