19 lines
1.0 KiB
Plaintext
19 lines
1.0 KiB
Plaintext
``++WebSocket++``s allow client-server communications in both directions simultaneously, but because of the way the protocol is designed, it's vulnerable to a number of attacks:
|
|
|
|
* denial of service on both the client and server sides - because ``++WebSocket++``s are persistent connections, it is easier to exhaust this type of resource
|
|
* exposure of sensitive data - because ``++WebSocket++``s aren't encrypted the data sent over them is vulnerable to sniffing
|
|
|
|
Additionally ``++WebSocket++``s offer no particular protection from XSS attacks.
|
|
|
|
|
|
This rule raises an issue on each file in which ``++WebSocket++``s are used.
|
|
|
|
|
|
== See
|
|
|
|
* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
|
|
* https://cwe.mitre.org/data/definitions/400[MITRE, CWE-400] - Uncontrolled Resource Consumption ('Resource Exhaustion')
|
|
* https://dl.packetstormsecurity.net/papers/attack/HTML5AttackVectors_RafayBaloch_UPDATED.pdf[Packet Storm Security] - HTML 5 Modern Day Attack And Defence Vectors
|
|
|
|
|