Research and Defense of Cross-Site WebSocket Hijacking Vulnerability

The WebSocket protocol is part of the HTML5 standard specification. It is a new network communication protocol that provides a full-duplex communication mechanism between the client and the server. The emergence of WebSocket brings good news for real-time web communication, but the corresponding WebSocket vulnerabilities are gradually exposed, among which the Cross Site WebSocket Hijacking is relatively harmful and easy to be ignored. The paper mainly explores the principle of WebScoket's cross-site hijacking vulnerability, and proposes a one-time random token scheme based on mixed encryption to solve the cross-site WebSocket hijacking vulnerability, and finally tests the scheme to verify its effectiveness.