Détail du CWE-1385

CWE-1385

Missing Origin Validation in WebSockets
Incomplete
2022-04-28
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Gestion des notifications

Nom: Missing Origin Validation in WebSockets

The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.

Informations générales

Modes d'introduction

Architecture and Design
Implementation

Plateformes applicables

Langue

Class: Not Language-Specific (Undetermined)

Technologies

Class: Web Based (Often)
Name: Web Server (Undetermined)

Conséquences courantes

Portée Impact Probabilité
Confidentiality
Integrity
Availability
Non-Repudiation
Access Control		Varies by Context, Gain Privileges or Assume Identity, Bypass Protection Mechanism, Read Application Data, Modify Application Data, DoS: Crash, Exit, or Restart

Note: The consequences will vary depending on the nature of the functionality that is vulnerable to CSRF. An attacker could effectively perform any operations as the victim. If the victim is an administrator or privileged user, the consequences may include obtaining complete control over the web application - deleting or stealing data, uninstalling the product, or using it to launch other attacks against all of the product's users. Because the attacker has the identity of the victim, the scope of the CSRF is limited only by the victim's privileges.

Exemples observés

Références Description

CVE-2020-25095

web console for SIEM product does not check Origin header, allowing Cross Site WebSocket Hijacking (CSWH)

CVE-2018-6651

Chain: gaming client attempts to validate the Origin header, but only uses a substring, allowing Cross-Site WebSocket hijacking by forcing requests from an origin whose hostname is a substring of the valid origin.

CVE-2018-14730

WebSocket server does not check the origin of requests, allowing attackers to steal developer's code using a ws://127.0.0.1:3123/ connection.

CVE-2018-14731

WebSocket server does not check the origin of requests, allowing attackers to steal developer's code using a ws://127.0.0.1/ connection to a randomized port number.

CVE-2018-14732

WebSocket server does not check the origin of requests, allowing attackers to steal developer's code using a ws://127.0.0.1:8080/ connection.

Mesures d’atténuation potentielles

Phases : Implementation
Enable CORS-like access restrictions by verifying the 'Origin' header during the WebSocket handshake.
Phases : Implementation
Use a randomized CSRF token to verify requests.
Phases : Implementation
Use TLS to securely communicate using 'wss' (WebSocket Secure) instead of 'ws'.
Phases : Architecture and Design // Implementation
Require user authentication prior to the WebSocket connection being established. For example, the WS library in Node has a 'verifyClient' function.
Phases : Implementation
Leverage rate limiting to prevent against DoS. Use of the leaky bucket algorithm can help with this.
Phases : Implementation
Use a library that provides restriction of the payload size. For example, WS library for Node includes 'maxPayloadoption' that can be set.
Phases : Implementation
Treat data/input as untrusted in both directions and apply the same data/input sanitization as XSS, SQLi, etc.

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Références

REF-1257

Cross-Site WebSocket Hijacking (CSWSH)
Christian Schneider.
https://christian-schneider.net/blog/cross-site-websocket-hijacking/

REF-1251

WebSockets not Bound by SOP and CORS? Does this mean...
Drew Branch.
https://blog.securityevaluators.com/websockets-not-bound-by-cors-does-this-mean-2e7819374acc

REF-1252

How to secure your WebSocket connections
Mehul Mohan.
https://www.freecodecamp.org/news/how-to-secure-your-websocket-connections-d0be0996c556/

REF-1256

Cross-Site WebSocket Hijacking (CSWSH)
Vickie Li.
https://medium.com/swlh/hacking-websocket-25d3cba6a4b9

REF-1253

Testing for WebSockets security vulnerabilities
PortSwigger.
https://portswigger.net/web-security/websockets

Soumission

Nom Organisation Date Date de publication Version
Anonymous External Contributor 2021-05-28 +00:00 2022-04-28 +00:00 4.7

Modifications

Nom Organisation Date Commentaire
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-09-09 +00:00 updated References
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms, Weakness_Ordinalities
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.