Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why does the server in a websocket request have to answer a challenge?

Tags:

websocket

I'm reading the websocket specification and it says:

Finally, the server has to prove to the client that it received the client's WebSocket handshake, so that the server doesn't accept connections that are not WebSocket connections. This prevents an attacker from tricking a WebSocket server by sending it carefully- crafted packets using |XMLHttpRequest| or a |form| submission.

I've read it several times, but it's still not clear to me as to why this is necessary.

like image 211
dan_waterworth Avatar asked Jun 16 '11 12:06

dan_waterworth

People also ask

Is WebSocket request a response?

The WebSocket protocol is not designed around request-response. Messages may be sent from either end of the connection at any time, and there is no native support for one message to indicate it is related to another.

At what stage a WebSocket client is informed for the incoming message?

The OnMessage event is raised when a client sends data to the server. Inside this event handler, the incoming message can be transmitted to the clients, or probably select only some of them.

Can server initiate WebSocket connection?

No. The server can't initiate a connection.

How does a WebSocket protocol work?

WebSocket uses a unified TCP connection and needs one party to terminate the connection. Until it happens, the connection remains active. HTTP needs to build a distinct connection for separate requests. Once the request is completed, the connection breaks automatically.

1 Answers

The challenge-response mechanism forces the server to make sure that the client is a legit WebSocket client, and not a script doing funny stuff.

The challenge is sent in a "Sec-WebSocket-Key" HTTP header. Since browsers make sure that scripts cannot set "Sec-*" headers, this prevents a script from opening a WebSocket connection through an XMLHttpRequest.

If the server did not have to answer the challenge, it is possible that some lazy servers would ignore the "Sec-WebSocket-*" headers completely, leaving clients unprotected from rogue scripts.

It may also be a way of allowing the client to verify that it is talking to a WebSocket server, but I think that is not the main reason, since the server has to send a 101 Switching Protocols status code anyway, along with an "Upgrade: websocket" header.

like image 197
suriv Avatar answered Sep 22 '22 14:09

suriv
Sign in to Comment

Related questions

WebSockets and Load Balancing, a bottleneck?
Send Message to all clients via SimpMessagingTemplate in ServletContextListener
Stomp over websocket using Spring and sockJS message lost
websockets and database updates (push on change)
Passing JWT token to SockJS
Websocket: How To Push A Message To A Target User
Is it possible to use websockets in Flask and Python 3?
websocket for binary transfer of data & decode
WebSockets on Elastic Beanstalk with Docker
Can Websockets Work On Mobile Phones?
Node proxy web sockets how to check
How to read a Binary Frame on a Web Socket?
Django channels - Echo example not working
Cookies don't work over WebSocket on Apple devices
Is WebSocket compatible with HTTP/3
implementing websocket server by nodejs on shared cpanel host
Why are WebSockets without Sec-WebSocket-Key1 insecure?
Does HTML5 Support Peer-to-Peer (and not just WebSockets)
Sinatra + websocket + Celluloid
Is Jetty websocket client class WebSocketClient thread safe?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!