Newest 'websocket' Questions

1 vote

1 answer

93 views

Looking for Advice on Securing a UI implemented as a Web Site

I am looking at different UI options for a microcontroller/SOC, the ESP32-S3. One option is a web site with a login and HTTPS running on a "light weight web server". However, I am not sure ...

user1045680

113

asked Nov 30, 2024 at 14:49

2 votes

1 answer

1k views

Is it secure to send JWT tokens in url query parameters if we use nonce to make it a one time token?

Websockets don't support sending auth tokens during websocket handshake as part of HTTP headers, rather only via query parameters. This has a security risk of leaking these tokens in server logs. ...

Security Learner

21

asked Mar 29, 2024 at 12:48

0 votes

0 answers

170 views

Cache poisoning from rfc6455 (WebSockets) not requiring server message to be masked?

In RFC6455 section 10.3, it explains why they have made clients mask their outgoing frames (so that a malicious server cannot manipulate a client into sending something in plaintext, as the message ...

Secto Kia

101

asked Jan 28, 2024 at 1:43

2 votes

2 answers

2k views

Can a client script (running within a webpage) provide to the browser a certificate to accept in a wss:// connection?

Can a client script provide to the browser a certificate to accept in a wss:// connection? The WebSocket constructor does not seem to have many options. (I am designing an IoT server that lets the ...

personal_cloud

389

asked Dec 25, 2022 at 1:43

2 votes

1 answer

523 views

What's threat if WebSocket connection only checks authentication in the `Open` event

(I had checked the similar topics this/this/this/this, but I couldn't find the exact scenario or example) Let's say I have a websocket server (MITM and XSS attacks are not in scope) where inside 'open'...

T.Todua

2,747

asked Jul 6, 2022 at 11:21

1 vote

0 answers

218 views

Is SSL over WebSocket less necessary when a connection is established from a smartphone?

I am developing a modification for a game server. The mod hosts a SocketServer which clients can connect to using a smartphone app, allowing them to chat with other players whilst not physically ...

user270184

11

asked Nov 17, 2021 at 13:24

0 votes

1 answer

730 views

Securing a Websocket Connection in case of XSS Vulnerability

Goal Authenticate the Client via HTTP Request. Authenticate the Client's WebSocket connection. Prevent exploitation of WebSocket connection(when a XSS Vulnerability is present on website). How I'm ...

litz

3

asked Aug 15, 2021 at 7:09

1 vote

2 answers

2k views

Does sending hashed password over url path parameter secure?

I need to create WebSocket authentication mechanism without using ticketing, so the whole authentication needs to be performed via HTTP (over SSL) GET request which is sent to upgrade connection to ...

Kacper G.

113

asked May 11, 2021 at 8:03

Stack Exchange Network

Questions tagged [websocket]

Looking for Advice on Securing a UI implemented as a Web Site

Is it secure to send JWT tokens in url query parameters if we use nonce to make it a one time token?

Cache poisoning from rfc6455 (WebSockets) not requiring server message to be masked?

Can a client script (running within a webpage) provide to the browser a certificate to accept in a wss:// connection?

What's threat if WebSocket connection only checks authentication in the `Open` event

Is SSL over WebSocket less necessary when a connection is established from a smartphone?

Securing a Websocket Connection in case of XSS Vulnerability

Does sending hashed password over url path parameter secure?

Hot Network Questions