CWE-1385

Missing Origin Validation in WebSockets

The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.

Mitigation

Phase: Implementation

Description:

  • Enable CORS-like access restrictions by verifying the 'Origin' header during the WebSocket handshake.
Mitigation

Phase: Implementation

Description:

  • Use a randomized CSRF token to verify requests.
Mitigation

Phase: Implementation

Description:

  • Use TLS to securely communicate using 'wss' (WebSocket Secure) instead of 'ws'.
Mitigation

Phases: Architecture and Design, Implementation

Description:

  • Require user authentication prior to the WebSocket connection being established. For example, the WS library in Node has a 'verifyClient' function.
Mitigation

Phase: Implementation

Description:

  • Leverage rate limiting to prevent against DoS. Use of the leaky bucket algorithm can help with this.
Mitigation

Phase: Implementation

Description:

  • Use a library that provides restriction of the payload size. For example, WS library for Node includes 'maxPayloadoption' that can be set.
Mitigation

Phase: Implementation

Description:

  • Treat data/input as untrusted in both directions and apply the same data/input sanitization as XSS, SQLi, etc.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page