HTML and CSS Reference
In-Depth Information
denial of service attacks, which are attempts to make resources unavailable for the
system's users. The goal of such attacks is to prevent a web site, service, or server from
working efficiently—temporarily or even indefinitely.
Allowing users to access your web applications can also expose your users to attacks.
Malicious persons and evil robots are constantly attempting to copy, delete, and modify
precious user data. Some of these attacks may rely on impersonation, while others may
be more passive eavesdropping and interception. These common threats are typically
mitigated using authentication and encrypted communication.
In addition to these well-known types of attacks, there are unintended and
ambiguous attacks against those who are neither using nor deploying WebSocket.
Examples of these include legacy proxy and monitoring systems that confuse WebSocket
traffic and HTTP traffic.
Many of the WebSocket Protocol design choices that we examined in Chapter 3
make sense in light of security and were added to mitigate specific attacks. After all, if
the purpose of WebSocket is to open a free-flowing pipe of bytes between two endpoints,
then everything else is decorative. As it happens, some of these trappings are necessary
to thwart very specific types of attacks. These threats may affect users of the protocol, or
more curiously, innocent bystanders who happen to be on the same network.
Table
7-1
describes some of these security issues and a brief description of how some
features of the WebSocket Protocol were specifically designed to mitigate these attacks.
We'll delve more into each of these areas in the subsequent sections, and explore higher-
level WebSocket security areas like authentication and application-level security.
Table 7-1.
Types of Attacks Addressed by the WebSocket API and Protocol
This Type of Attack
. . . is Addressed by this WebSocket API or Protocol Feature
Denial of service
Origin header
Denial of service by
connection flooding
Throttling new connections using the Origin header
Proxy server attacks
Masking
WebSocket Secure (
wss://
)
Man-in-the middle,
eavesdropping
WebSocket Security Features
Before we examine the aspects of the WebSocket API and Protocol that address specific
areas of security, let's review the WebSocket handshake. The WebSocket handshake
contains several of the components that help establish security on the WebSocket
connection.
As we described in Chapter 3, WebSocket connections begin with an HTTP request
containing special headers. The contents of that request were very carefully designed
for security and compatibility with HTTP. To review, Listing 7-1 is an example of a client
sending WebSocket handshake:
