ZAP – Cross-Site WebSocket Hijacking

Details
Alert ID	100025
Alert Type	Script Active
Status	alpha
Risk	High
CWE	346
WASC	9
Technologies Targeted	All
Tags	CWE-346 OWASP_2017_A05 OWASP_2021_A01 WSTG-V42-CLNT-10
More Info	Scan Rule Help

Summary

Server accepted WebSocket connection through HTTP Upgrade request with modified Origin header.

Solution

Validate Origin header on WebSocket connection handshake, to ensure only specified origins are allowed to connect. Also, WebSocket handshake should use random tokens, similar to anti CSRF tokens.

Other Info

See also https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking or https://christian-schneider.net/CrossSiteWebSocketHijacking.html

References

https://tools.ietf.org/html/rfc6455#section-10.2

Code

active/Cross Site WebSocket Hijacking.js