From da96a725cfe0ed43342b5037667a0063b50e3052 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Tue, 17 Dec 2024 09:53:23 +0100 Subject: [PATCH 1/2] Add term, acronym and CWE# * Add term Cross-site Websocket Hijacking, * the acronym for the exploit: CSWH (and also CSWSH which seems to be also used but less often). Both are useful for searching (useful for searching --> couldn't find anything here) * Add reference to CWE --- .../11-Client-side_Testing/10-Testing_WebSockets.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets.md b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets.md index 4050326850..e4136695f2 100644 --- a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets.md +++ b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets.md @@ -12,7 +12,7 @@ Traditionally, the HTTP protocol only allows one request/response per TCP connec ### Origin -It is the server’s responsibility to verify the [`Origin` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin) in the initial HTTP WebSocket handshake. If the server does not validate the origin header in the initial WebSocket handshake, the WebSocket server may accept connections from any origin. This could allow attackers to communicate with the WebSocket server cross-domain allowing for CSRF-like issues. See also [Top 10-2017 A5-Broken Access Control](https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control). +It is the server’s responsibility to verify the [`Origin` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin) in the initial HTTP WebSocket handshake. If the server does not validate the origin header in the initial WebSocket handshake, the WebSocket server may accept connections from any origin. This could allow attackers to communicate with the WebSocket server cross-domain allowing for CSRF-like issues. See also [Top 10-2017 A5-Broken Access Control](https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control). The exploit for this weakness is called Cross-Origin Websocket Hijacking (CSWH or CSWSH). ### Confidentiality and Integrity @@ -76,6 +76,7 @@ Gray-box testing is similar to black-box testing. In gray-box testing, the pen-t - [HTML5 Rocks - Introducing WebSockets: Bringing Sockets to the Web](https://www.html5rocks.com/en/tutorials/websockets/basics/) - [W3C - The WebSocket API](https://html.spec.whatwg.org/multipage/web-sockets.html#network) - [IETF - The WebSocket Protocol](https://tools.ietf.org/html/rfc6455) +- [CWE-1385: Missing Origin Validation in WebSockets](https://cwe.mitre.org/data/definitions/1385.html) - [Christian Schneider - Cross-Site WebSocket Hijacking (CSWSH)](https://www.christian-schneider.net/blog/cross-site-websocket-hijacking/) - [Robert Koch- On WebSockets in Penetration Testing](https://repositum.tuwien.at/retrieve/21955) - [DigiNinja - ZAP and Web Sockets](https://digi.ninja/blog/zap_web_sockets.php) From ddd6e03e5c655af6e2a835f87345ec417ea7a603 Mon Sep 17 00:00:00 2001 From: Rick M Date: Tue, 17 Dec 2024 04:04:41 -0500 Subject: [PATCH 2/2] Update 10-Testing_WebSockets.md --- .../11-Client-side_Testing/10-Testing_WebSockets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets.md b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets.md index e4136695f2..3aae5e25aa 100644 --- a/document/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets.md +++ b/document/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets.md @@ -12,7 +12,7 @@ Traditionally, the HTTP protocol only allows one request/response per TCP connec ### Origin -It is the server’s responsibility to verify the [`Origin` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin) in the initial HTTP WebSocket handshake. If the server does not validate the origin header in the initial WebSocket handshake, the WebSocket server may accept connections from any origin. This could allow attackers to communicate with the WebSocket server cross-domain allowing for CSRF-like issues. See also [Top 10-2017 A5-Broken Access Control](https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control). The exploit for this weakness is called Cross-Origin Websocket Hijacking (CSWH or CSWSH). +It is the server’s responsibility to verify the [`Origin` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin) in the initial HTTP WebSocket handshake. If the server does not validate the origin header in the initial WebSocket handshake, the WebSocket server may accept connections from any origin. This could allow attackers to communicate with the WebSocket server cross-domain allowing for CSRF-like issues. See also [Top 10-2017 A5-Broken Access Control](https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control). The exploit for this weakness is called Cross-Site Websocket Hijacking (CSWH or CSWSH). ### Confidentiality and Integrity