CWE-1385: Missing Origin Validation in WebSockets
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.
常见后果
影响范围: Confidentiality Integrity Availability Non-Repudiation Access Control
技术影响: Varies by Context Gain Privileges or Assume Identity Bypass Protection Mechanism Read Application Data Modify Application Data DoS: Crash, Exit, or Restart
说明: The consequences will vary depending on the nature of the functionality that is vulnerable to CSRF. An attacker could effectively perform any operations as the victim. If the victim is an administrator or privileged user, the consequences may include obtaining complete control over the web application - deleting or stealing data, uninstalling the product, or using it to launch other attacks against all of the product's users. Because the attacker has the identity of the victim, the scope of the CSRF is limited only by the victim's privileges.
潜在缓解措施
阶段: Implementation
描述: Enable CORS-like access restrictions by verifying the 'Origin' header during the WebSocket handshake.
阶段: Implementation
描述: Use a randomized CSRF token to verify requests.
阶段: Implementation
描述: Use TLS to securely communicate using 'wss' (WebSocket Secure) instead of 'ws'.
阶段: Architecture and Design Implementation
描述: Require user authentication prior to the WebSocket connection being established. For example, the WS library in Node has a 'verifyClient' function.
阶段: Implementation
描述: Leverage rate limiting to prevent against DoS. Use of the leaky bucket algorithm can help with this.
有效性: Defense in Depth
阶段: Implementation
描述: Use a library that provides restriction of the payload size. For example, WS library for Node includes 'maxPayloadoption' that can be set.
有效性: Defense in Depth
阶段: Implementation
描述: Treat data/input as untrusted in both directions and apply the same data/input sanitization as XSS, SQLi, etc.
观察示例
参考: CVE-2020-25095
web console for SIEM product does not check Origin header, allowing Cross Site WebSocket Hijacking (CSWH)
参考: CVE-2018-6651
Chain: gaming client attempts to validate the Origin header, but only uses a substring, allowing Cross-Site WebSocket hijacking by forcing requests from an origin whose hostname is a substring of the valid origin.
参考: CVE-2018-14730
WebSocket server does not check the origin of requests, allowing attackers to steal developer's code using a ws://127.0.0.1:3123/ connection.
参考: CVE-2018-14731
WebSocket server does not check the origin of requests, allowing attackers to steal developer's code using a ws://127.0.0.1/ connection to a randomized port number.
参考: CVE-2018-14732
WebSocket server does not check the origin of requests, allowing attackers to steal developer's code using a ws://127.0.0.1:8080/ connection.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | - |