WebSocket hijacking (origin/SOP note)

If an application uses WebSockets, you must test WebSocket hijacking.

One fundamental web security feature is the Same-Origin Policy (SOP): when you are logged in at a site and at the same time visit a malicious site, the malicious site can send authenticated requests using JavaScript on behalf of your user (which can result in CSRF-style attacks). The malicious site cannot, however, read the response because the browser prevents it.

This is, however, not true for WebSocket connections: a malicious site can by default interact with (read from and write to) WebSockets.

You must either authenticate the user explicitly within the WebSocket communication or prevent establishing the connection under certain circumstances (e.g., based on the Origin header).

Prevention is more difficult because you can only establish WebSockets using GET and you cannot set custom HTTP headers from browsers.