Corgea LogoCorgea Security Hub

CWE-1385: Missing Origin Validation in WebSockets

Learn about CWE-1385 (Missing Origin Validation in WebSockets), its security impact, exploitation methods, and prevention guidelines.

What is Missing Origin Validation in WebSockets?

• Overview: Missing Origin Validation in WebSockets means the application uses WebSockets for communication but fails to check if the source of the data or connection is legitimate. This can lead to security issues since WebSockets can bypass certain browser security controls.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by initiating WebSocket connections from malicious origins, potentially conducting unauthorized actions.
  • Common attack patterns include cross-site request forgery (CSRF) attacks, where attackers can trick the server into accepting requests from unauthorized origins.

• Security Impact:

  • Direct consequences include unauthorized access to sensitive data and the ability to perform actions on behalf of authenticated users.
  • Potential cascading effects involve further exploitation of connected systems or services, leading to broader network compromises.
  • Business impact can include data breaches, loss of customer trust, and potential legal liabilities.

• Prevention Guidelines:

  • Implement origin validation by checking the 'Origin' header during the WebSocket handshake to ensure it matches expected values.
  • Follow security best practices such as using secure, encrypted WebSocket connections (wss://) and implementing strict server-side access controls.
  • Recommended tools and frameworks include WebSocket libraries and frameworks that support origin checking and security policies, such as Socket.IO or ws with custom middleware for validation.
Corgea can automatically detect and fix Missing Origin Validation in WebSockets in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Web Server

Vulnerable Code Example

JavaScript Example

const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 8080 });

wss.on('connection', function connection(ws, req) {
    // Vulnerability: Missing origin validation allows any origin to connect
    ws.on('message', function incoming(message) {
        console.log('received: %s', message);
        // Process the message
    });
});

Explanation

In this code, a WebSocket server is instantiated using the ws library, which listens on port 8080. However, the server lacks validation of the Origin header in incoming connection requests. This omission means any website, including potentially malicious ones, can establish a WebSocket connection to the server. Such a vulnerability can be exploited to perform unauthorized actions or exfiltrate sensitive data.

How to fix Missing Origin Validation in WebSockets?

To address this vulnerability, the server should validate the Origin header of incoming WebSocket connections. This ensures that only connections from trusted origins are accepted. The Origin header is part of the HTTP request headers and indicates the origin of the request, allowing the server to determine whether the request is from a trusted source.

  1. Implement Origin Check: Before accepting a connection, inspect the Origin header and verify that it matches a list of allowed origins.
  2. Close Untrusted Connections: If the origin is not trusted, immediately close the connection to prevent any data transfer.

Fixed Code Example

const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 8080 });

// List of allowed origins
const allowedOrigins = ['https://trustedwebsite.com', 'https://anothertrusted.com'];

wss.on('connection', function connection(ws, req) {
    const origin = req.headers.origin;

    // Fix: Validate the origin before accepting the connection
    if (!allowedOrigins.includes(origin)) {
        ws.close(); // Close connection if origin is not allowed
        console.log('Connection attempt from untrusted origin:', origin);
        return;
    }

    ws.on('message', function incoming(message) {
        console.log('received: %s', message);
        // Process the message
    });
});

Explanation

In the fixed version, an allowedOrigins array is defined to specify which origins are permitted to establish a WebSocket connection. During the connection event, the server checks if the Origin header from the incoming request matches any of the allowed origins. If the origin is not on the list, the server immediately closes the connection and logs the attempt. This validation step ensures that only trusted sources can interact with the WebSocket server, significantly reducing the risk of unauthorized access and potential data breaches.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-1385: Missing Origin Validation in WebSockets and get remediation guidance

Start for free and no credit card needed.