In the modern world of web development there are a set of new and emerging specifications sometimes grouped under the moniker HTML5. One of those specifications is the WebSocket API, that enables two-way communications.
WebSockets offer the promise of faster communications that than traditional TCP, but according to a pair of security researchers, there is a hidden risk. Speaking at the Black Hat conference last week, Sergey Shekyan, senior software engineer at Qualys; and Vaagn Toukharian, developer at Qualys, detailed how WebSockets could be exploited for malicious gain.
WebSocket support is currently available in the latest Chrome, Firefox, Safari and IE 10 web browsers. According to the two researchers, WebSockets are already in use by websites and embedded applications around the world today, and often without proper security.
“We think that user capacity maybe an issue with WebSockets if it’s not implemented in the right way,” Toukharian told eSecurityPlanet. “WebSockets can be used for lots of things, but they shouldn’t be used for all of items on a web page.”
He stressed that WebSockets don’t make sense to use in applications that don’t need bi-directional communications or a fast response time.