The Dark Side of WebSockets: Risks in Real-Time Communication
Introduction
WebSocket is a communication protocol that enables full-duplex data exchange over a single TCP connection, facilitating seamless two-way communication. As the demand for real-time interactions grows in modern web applications, WebSocket has gained widespread adoption, supporting use cases such as instant messaging, live notifications, online gaming, and interactive dashboards. However, this rise in usage also presents a growing attack surface, exposing applications to critical security vulnerabilities.
In this blog, we’ll explore WebSocket protocol vulnerabilities, starting with a foundational understanding of WebSocket, how it works, and why it's essential, before delving into specific vulnerabilities and their implications. We will also discuss how AI can help automate vulnerability detection, enhancing scanning capabilities and improving overall security posture.
Understanding WebSocket: What, Why, and How?
What is WebSocket?
WebSocket is a standardized protocol enabling continuous, bi-directional communication between web browsers and servers. Unlike HTTP, which relies on a request-response mechanism, WebSocket opens a persistent connection, allowing data to flow simultaneously in both directions without repeatedly opening and closing connections, dramatically reducing latency compared to traditional HTTP.
Why Use WebSocket?
WebSocket is ideal for real-time applications. Traditional HTTP polling methods are resource-intensive and introduce latency. WebSocket solves these issues by maintaining an open connection, making it suitable for applications such as chat rooms, live streaming, online gaming, collaborative editing, and interactive web apps.
How Does WebSocket Work?
The WebSocket protocol operates in two phases:
- Handshake: The connection begins with an HTTP upgrade request, transitioning the communication protocol from HTTP to WebSocket.
- Communication: Once upgraded, the server and client exchange data via a persistent connection in frames, allowing efficient and real-time message transfer.

While efficient, the handshake phase and ongoing frame-based communication present potential security pitfalls that can be exploited by attackers.
Common WebSocket Vulnerabilities
In this section, we'll explore several key vulnerabilities affecting WebSocket implementations, demonstrated by real-world scenarios, examples, and documented CVEs.
1. Authentication Bypass via WebSocket
Authentication bypass vulnerabilities occur when WebSocket implementations fail to properly authenticate users or maintain session states securely. Attackers can exploit these flaws to gain unauthorized access, potentially compromising sensitive data.
2. Injection Attacks (SQL, Command, XSS and more)
WebSockets, like any communication that involves user input, can be vulnerable to injection attacks when user inputs are not properly sanitized. Attackers may inject malicious code or commands through WebSocket messages, resulting in SQL Injection, command execution, or Cross-Site Scripting (XSS).
3. Cross-Site WebSocket Hijacking (CSWH)
Cross-Site WebSocket Hijacking occurs when attackers trick a user’s browser into establishing unauthorized WebSocket connections, leveraging existing authenticated sessions. This allows attackers to intercept, modify, or send messages maliciously.
Real-world Attack Scenarios using WebSocket
Unauthorized Real-Time Data Access via WebSocket Injection
One common use of WebSocket is to provide real-time notifications. In a typical scenario, after completing the websocket handshake phase, the server expects both a user ID and a project ID. This design ensures that notifications are sent only to the relevant user for a specific project.
For example, here is the intended and normal websocket request, and the corresponding notification received when a new file is uploaded:

However, we discovered that by sending a wildcard character, like an asterisk (*), instead of specific user ID and project ID, the websocket started sending notifications for every user and project, opening the door to unauthorized access to sensitive user information and project files.

This exposed a massive amount of real-time data that should have been private, highlighting a critical flaw in how the website handles access control within its websocket communication.
Manipulation of notifications served by WebSocket
Imagine a website with a login page. As soon as the page loads, a websocket connection is established in the background in order to retrieve information about the latest changes in associated databases. For example, consider the following request and response:

By analyzing the message sent to the server, it seems relatively straightforward to manipulate the request, at least in order to obtain readable information instead of binary content. However, our findings were alarming - with just a couple of simple modifications to the request, the received data not only reflected recent changes within the application but also exposed user credentials:

CVE-2024-55591 / CVE-2025-24472
An authentication bypass in FortiOS and FortiProxy, stemming from improper handling within the Node.js websocket module. Specifically, crafted requests exploit an alternate authentication path, enabling remote attackers to escalate privileges to super-admin. This vulnerability underscores the critical importance of secure WebSocket implementation and rigorous input validation to prevent unauthorized access to restricted content.
Use Cases Conclusion
Although WebSockets are commonly used for scenarios involving chat applications, notifications, and other real-time data exchange, developers might underestimate the sensitivity and potential security implications of improper implementation, which could extend beyond the intended use case, potentially exposing the system to broader threats.
Any overlooked vulnerability, even in seemingly innocuous use cases such as chatbots or basic notifications, can be exploited with substantial consequences, emphasizing the critical need for rigorous security measures across all WebSocket implementations.
Securing WebSocket Communication: Best Practices
- Input Validation: Ensure all incoming WebSocket messages are strictly validated and sanitized. Proper input validation significantly reduces the risk of injection attacks and unexpected behaviors by blocking malicious or malformed data before processing.
- Ticket-based Authentication: Implement robust authentication mechanisms, such as ticket-based authentication, to validate users effectively during the WebSocket handshake. This ensures sessions are securely established, minimizing unauthorized access risks.
- WebSocket Secure (wss://): Always use secure WebSocket connections (wss://) instead of insecure ws:// connections. Utilizing TLS encryption prevents data interception, ensuring secure, encrypted communication between clients and servers.
- Origin Header Verification: Strictly enforce validation of the Origin header during WebSocket handshakes. Proper Origin checks mitigate risks associated with cross-site WebSocket hijacking (CSWSH) by ensuring connections originate from trusted domains.
Leveraging AI to Automate WebSocket Vulnerability Detection
To address WebSocket vulnerabilities more effectively, we've integrated AI-driven techniques into our security scanning processes at ULTRA RED. Unlike rigid, rule-based methods, our AI system uses machine learning and natural language processing to spot complex logic flaws, sneaky authentication bypasses, and crafty injection attacks within WebSocket traffic.
Thanks to continuous improvements, the ULTRA RED CTEM platform finds vulnerabilities faster, with fewer false alarms, and catches threats that traditional methods often overlook. Because who doesn't prefer smarter tools over manual guesswork?