From c77d4be7ae5cb2170153f2743b2fc885ce1c85ae Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Mon, 16 Dec 2024 20:48:29 +0100
Subject: [PATCH] CSWH + CWE

- Add term CSWH for the exploit
- Add reference to CWE
---
 .../11-Client-side_Testing/10-Testing_WebSockets.md            | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets.md b/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets.md
index 54b4de78..13c10b3b 100644
--- a/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets.md
+++ b/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/10-Testing_WebSockets.md
@@ -21,7 +21,7 @@ Traditionally, the HTTP protocol only allows one request/response per TCP connec
 
 ### Origin
 
-It is the server’s responsibility to verify the [`Origin` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin) in the initial HTTP WebSocket handshake. If the server does not validate the origin header in the initial WebSocket handshake, the WebSocket server may accept connections from any origin. This could allow attackers to communicate with the WebSocket server cross-domain allowing for CSRF-like issues. See also [Top 10-2017 A5-Broken Access Control](https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control).
+It is the server’s responsibility to verify the [`Origin` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin) in the initial HTTP WebSocket handshake. If the server does not validate the origin header in the initial WebSocket handshake, the WebSocket server may accept connections from any origin. This could allow attackers to communicate with the WebSocket server cross-domain allowing for CSRF-like issues. See also [Top 10-2017 A5-Broken Access Control](https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control). The exploit for this weakness is called Cross-Origin Websocket Hijacking (CSWH).
 
 ### Confidentiality and Integrity
 
@@ -85,6 +85,7 @@ Gray-box testing is similar to black-box testing. In gray-box testing, the pen-t
 - [HTML5 Rocks - Introducing WebSockets: Bringing Sockets to the Web](https://www.html5rocks.com/en/tutorials/websockets/basics/)
 - [W3C - The WebSocket API](https://html.spec.whatwg.org/multipage/web-sockets.html#network)
 - [IETF - The WebSocket Protocol](https://tools.ietf.org/html/rfc6455)
+- [Missing Origin Validation in WebSockets](https://cwe.mitre.org/data/definitions/1385.html)
 - [Christian Schneider - Cross-Site WebSocket Hijacking (CSWSH)](http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html)
 - [Jussi-Pekka Erkkilä - WebSocket Security Analysis (PDF)](http://juerkkil.iki.fi/files/writings/websocket2012.pdf)
 - [Robert Koch- On WebSockets in Penetration Testing](http://www.ub.tuwien.ac.at/dipl/2013/AC07815487.pdf)