rspec/rules/S3272/rule.adoc

``++WebSocket++``s allow client-server communications in both directions simultaneously, but because of the way the protocol is designed, it's vulnerable to a number of attacks: 

* denial of service on both the client and server sides - because ``++WebSocket++``s are persistent connections, it is easier to exhaust this type of resource
* exposure of sensitive data - because ``++WebSocket++``s aren't encrypted the data sent over them is vulnerable to sniffing

Additionally ``++WebSocket++``s offer no particular protection from XSS attacks.


This rule raises an issue on each file in which ``++WebSocket++``s are used.


== See

* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
* https://cwe.mitre.org/data/definitions/400[MITRE, CWE-400] - Uncontrolled Resource Consumption ('Resource Exhaustion')
* https://dl.packetstormsecurity.net/papers/attack/HTML5AttackVectors_RafayBaloch_UPDATED.pdf[Packet Storm Security] - HTML 5 Modern Day Attack And Defence Vectors
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			``++WebSocket++``s allow client-server communications in both directions simultaneously, but because of the way the protocol is designed, it's vulnerable to a number of attacks:
Add rules based on targeted languages and remove the empty one 2020-06-30 16:59:06 +02:00
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			* denial of service on both the client and server sides - because ``++WebSocket++``s are persistent connections, it is easier to exhaust this type of resource
			* exposure of sensitive data - because ``++WebSocket++``s aren't encrypted the data sent over them is vulnerable to sniffing
Add rules based on targeted languages and remove the empty one 2020-06-30 16:59:06 +02:00
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			Additionally ``++WebSocket++``s offer no particular protection from XSS attacks.
Add rules based on targeted languages and remove the empty one 2020-06-30 16:59:06 +02:00
Force linebreaks 2021-02-02 15:02:10 +01:00
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			This rule raises an issue on each file in which ``++WebSocket++``s are used.
Add rules based on targeted languages and remove the empty one 2020-06-30 16:59:06 +02:00

			`== See`

			`* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure`
RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926) * Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files 2022-04-07 08:53:59 -05:00			`* https://cwe.mitre.org/data/definitions/400[MITRE, CWE-400] - Uncontrolled Resource Consumption ('Resource Exhaustion')`
Add rules based on targeted languages and remove the empty one 2020-06-30 16:59:06 +02:00			`* https://dl.packetstormsecurity.net/papers/attack/HTML5AttackVectors_RafayBaloch_UPDATED.pdf[Packet Storm Security] - HTML 5 Modern Day Attack And Defence Vectors`