``++WebSocket++``s allow client-server communications in both directions simultaneously, but because of the way the protocol is designed, it's vulnerable to a number of attacks: 

* denial of service on both the client and server sides - because ``++WebSocket++``s are persistent connections, it is easier to exhaust this type of resource
* exposure of sensitive data - because ``++WebSocket++``s aren't encrypted the data sent over them is vulnerable to sniffing

Additionally ``++WebSocket++``s offer no particular protection from XSS attacks.


This rule raises an issue on each file in which ``++WebSocket++``s are used.


== See

* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
* https://cwe.mitre.org/data/definitions/400[MITRE, CWE-400] - Uncontrolled Resource Consumption ('Resource Exhaustion')
* https://dl.packetstormsecurity.net/papers/attack/HTML5AttackVectors_RafayBaloch_UPDATED.pdf[Packet Storm Security] - HTML 5 Modern Day Attack And Defence Vectors