Investigating WebSocket Server Security - Beyond HTTP

Explore the often-overlooked security aspects of WebSocket servers in this 48-minute OWASP Foundation talk by Erik Elbieh, a security researcher and consultant at Palindrome Technologies. Delve into the widespread use of WebSockets since their inception in 2010, examining their prevalence in messaging platforms, finance websites, chat bots, real-time mapping applications, and even the Kubernetes API. Learn about the distinct nature of WebSocket servers compared to traditional web servers and understand why they have escaped rigorous security scrutiny. Discover a new tool suite designed to support future WebSockets research, including utilities for discovering WebSocket server endpoints, fingerprinting servers, and detecting vulnerabilities. Gain insights into implementation-level differences across various open-source libraries and explore the talk's comprehensive syllabus covering WebSocket basics, security history, scanning techniques, fingerprinting methods, and vulnerability detection strategies.