The development of web applications has made it increasingly necessary to implement solutions that allow asynchronous data exchange between the client and the server. One of the proposed approaches was the use of the “long polling” technique; later, AJAX appeared in web browsers. These approaches seemed sufficient, but there was still room for improvement. This was particularly evident because there were no methods for truly asynchronous communication in which, once a connection had been established, either side could decide when to send a data packet. To meet this need, the WebSocket protocol was created.
As with most new technologies, WebSocket comes with specific security risks. To draw attention to them, I prepared a text that was published in the “Programista” 9/2016 magazine. In it, the reader can learn, among other things:
- How does WebSocket work?
- What is the security of data transferred using this protocol?
- What are the risks associated with using WebSocket (bypass authentication, bypass authorization, Same Origin Policy issues, injections, server resource exhaustion, and more).
- How to test applications using WebSocket with OWASP Zaproxy.
At the end of the article, the reader will find a list of questions that should be asked during the security review of an application based on WebSocket.
Update Feb 2, 2017: This article was published on sekurak.pl.