Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-3272

"WebSockets" should not be used

    XMLWordPrintable

    Details

    • Message:
      Remove this use of "WebSockets".
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Targeted languages:
      C#, C++, Java, JavaScript, Objective-C, PHP, Python, Swift, VB.Net
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      2h
    • CWE:
      CWE-400
    • OWASP:
      A3

      Description

      {{WebSocket}}s allow client-server communications in both directions simultaneously, but because of the way the protocol is designed, it's vulnerable to a number of attacks:

      • denial of service on both the client and server sides - because {{WebSocket}}s are persistent connections, it is easier to exhaust this type of resource
      • exposure of sensitive data - because {{WebSocket}}s aren't encrypted the data sent over them is vulnerable to sniffing

      Additionally {{WebSocket}}s offer no particular protection from XSS attacks.

      This rule raises an issue on each file in which {{WebSocket}}s are used.

      See

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            ann.campbell.2 Ann Campbell
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: