Back to Blog
medium SEVERITY6 min read

Insecure WebSocket Vulnerability: Why WSS Should Always Replace WS

A medium-severity vulnerability was discovered in a JavaScript streaming application where insecure WebSocket (ws://) connections were being used instead of secure WebSocket (wss://) connections. This security gap could expose sensitive data to man-in-the-middle attacks, allowing attackers to intercept and manipulate real-time communication between clients and servers.

O
By orbisai0security
March 6, 2026
#websocket#security#encryption#tls#javascript#networking#mitm-attack

Introduction: The Hidden Danger in Real-Time Communication

WebSockets have revolutionized how we build real-time applications—from chat systems and live dashboards to streaming services and collaborative tools. However, with great power comes great responsibility. A recently patched vulnerability in a streaming application serves as a critical reminder: using insecure WebSocket connections (ws://) instead of secure ones (wss://) can expose your users to serious security risks.

This vulnerability, classified as medium severity, was found in a JavaScript streaming record implementation. While it might seem like a simple oversight, the implications of transmitting data over unencrypted WebSocket connections can be severe, especially when handling sensitive user information or authentication tokens.

The Vulnerability Explained

What Are WebSockets?

WebSockets provide full-duplex communication channels over a single TCP connection, enabling real-time, bidirectional data exchange between clients and servers. Unlike traditional HTTP requests, WebSocket connections remain open, allowing for instant data transmission without the overhead of repeated handshakes.

The Security Gap: WS vs. WSS

The vulnerability stems from using the ws:// protocol instead of wss://:

  • ws:// - Unencrypted WebSocket connection (similar to HTTP)
  • wss:// - Encrypted WebSocket connection over TLS/SSL (similar to HTTPS)

When you use ws://, all data transmitted through the WebSocket connection travels in plain text. This means:

  1. No encryption: Data is readable by anyone who can intercept the network traffic
  2. No authentication: No guarantee you're connecting to the legitimate server
  3. No integrity checking: Data can be modified in transit without detection

How Could This Be Exploited?

An attacker positioned between the client and server (man-in-the-middle attack) could:

1. Eavesdropping

User  [Attacker listening]  Server
"password123" transmitted in plain text

The attacker captures sensitive information like authentication tokens, personal messages, or financial data.

2. Data Manipulation

// Original message from client
{ "action": "transfer", "amount": 100, "to": "user123" }

// Modified by attacker
{ "action": "transfer", "amount": 10000, "to": "attacker456" }

3. Session Hijacking

If authentication tokens are transmitted over insecure WebSockets, attackers can steal these credentials and impersonate legitimate users.

Real-World Attack Scenario

Imagine a live streaming application where users can interact with broadcasters:

// Vulnerable code
const ws = new WebSocket('ws://streaming-app.com/live');

ws.onopen = () => {
    // User sends authentication token
    ws.send(JSON.stringify({
        token: 'user_auth_token_12345',
        action: 'join_stream'
    }));
};

An attacker on the same public WiFi network could:
1. Intercept the authentication token
2. Use it to impersonate the user
3. Access private streams or perform actions on behalf of the victim
4. Inject malicious messages into the chat stream

The Fix: Upgrading to Secure WebSockets

The Solution

The fix is straightforward but critical: always use wss:// for WebSocket connections. Here's what the secure implementation looks like:

Before (Vulnerable):

// Insecure WebSocket connection
const socket = new WebSocket('ws://example.com/stream');

socket.onopen = function() {
    console.log('Connected to stream');
    socket.send(JSON.stringify({
        userId: getCurrentUserId(),
        sessionToken: getSessionToken()
    }));
};

socket.onmessage = function(event) {
    const data = JSON.parse(event.data);
    processStreamData(data);
};

After (Secure):

// Secure WebSocket connection with TLS/SSL
const socket = new WebSocket('wss://example.com/stream');

socket.onopen = function() {
    console.log('Securely connected to stream');
    socket.send(JSON.stringify({
        userId: getCurrentUserId(),
        sessionToken: getSessionToken()
    }));
};

socket.onmessage = function(event) {
    const data = JSON.parse(event.data);
    processStreamData(data);
};

// Add error handling for security
socket.onerror = function(error) {
    console.error('WebSocket error:', error);
    // Implement fallback or retry logic
};

Dynamic Protocol Selection

For applications that need to work in both development and production:

// Automatically use secure protocol in production
const protocol = window.location.protocol === 'https:' ? 'wss:' : 'ws:';
const wsUrl = `${protocol}//${window.location.host}/stream`;
const socket = new WebSocket(wsUrl);

Better approach for production:

// Always prefer wss:// and only fall back for local development
const isLocalDev = window.location.hostname === 'localhost' || 
                   window.location.hostname === '127.0.0.1';
const protocol = isLocalDev ? 'ws:' : 'wss:';
const socket = new WebSocket(`${protocol}//${window.location.host}/stream`);

How This Solves the Problem

By using wss://:

  1. Encryption: All data is encrypted using TLS/SSL, making it unreadable to interceptors
  2. Server Authentication: SSL certificates verify you're connecting to the legitimate server
  3. Data Integrity: Cryptographic checksums ensure data hasn't been tampered with
  4. Compliance: Meets security standards and regulatory requirements (PCI DSS, HIPAA, GDPR)

Prevention & Best Practices

1. Enforce WSS in Production

Configure your application to reject insecure WebSocket connections in production:

// Configuration file
const config = {
    development: {
        wsProtocol: 'ws://',
        allowInsecure: true
    },
    production: {
        wsProtocol: 'wss://',
        allowInsecure: false
    }
};

// Connection logic
function createWebSocket(endpoint) {
    const env = process.env.NODE_ENV || 'development';
    const protocol = config[env].wsProtocol;

    if (env === 'production' && protocol !== 'wss://') {
        throw new Error('Insecure WebSocket connections not allowed in production');
    }

    return new WebSocket(`${protocol}${endpoint}`);
}

2. Server-Side Configuration

Ensure your server properly supports WSS:

// Node.js with Express and ws library
const https = require('https');
const fs = require('fs');
const WebSocket = require('ws');

const server = https.createServer({
    cert: fs.readFileSync('/path/to/cert.pem'),
    key: fs.readFileSync('/path/to/key.pem')
});

const wss = new WebSocket.Server({ server });

wss.on('connection', (ws) => {
    console.log('Secure WebSocket connection established');

    ws.on('message', (message) => {
        // Handle messages securely
    });
});

server.listen(443);

3. Content Security Policy (CSP)

Add CSP headers to restrict WebSocket connections:

Content-Security-Policy: connect-src 'self' wss://yourdomain.com

This prevents connections to unauthorized WebSocket endpoints.

4. Automated Security Scanning

Implement tools to detect insecure WebSocket usage:

ESLint Configuration:

{
    "rules": {
        "no-insecure-websocket": "error"
    }
}

Semgrep Rule:

rules:
  - id: insecure-websocket
    pattern: new WebSocket("ws://...")
    message: Use wss:// instead of ws:// for secure WebSocket connections
    severity: WARNING
    languages: [javascript, typescript]

5. Security Checklist for WebSocket Implementation

  • [ ] Use wss:// for all production WebSocket connections
  • [ ] Implement proper authentication and authorization
  • [ ] Validate and sanitize all incoming WebSocket messages
  • [ ] Use secure session tokens with proper expiration
  • [ ] Implement rate limiting to prevent abuse
  • [ ] Add comprehensive error handling
  • [ ] Log security-relevant events
  • [ ] Regularly update WebSocket libraries
  • [ ] Conduct security audits and penetration testing

6. References and Standards

  • OWASP: WebSocket Security Cheat Sheet
  • CWE-319: Cleartext Transmission of Sensitive Information
  • CWE-300: Channel Accessible by Non-Endpoint
  • RFC 6455: The WebSocket Protocol
  • NIST Guidelines: Use of TLS/SSL for all network communications

Conclusion

The transition from ws:// to wss:// might seem like a minor change—just three characters—but it represents a fundamental shift in security posture. This vulnerability fix demonstrates that security isn't always about complex cryptographic implementations or sophisticated attack prevention; sometimes it's about making the right choice with the tools already available to us.

Key Takeaways:

  1. Never use ws:// in production environments where sensitive data is transmitted
  2. Encryption should be the default, not an afterthought
  3. Automated security scanning can catch these issues before they reach production
  4. Defense in depth: Secure WebSockets are just one layer; implement comprehensive security measures

As developers, we have a responsibility to protect our users' data. By enforcing secure WebSocket connections and following security best practices, we can build real-time applications that are both powerful and secure.

Remember: If you wouldn't send it over HTTP, don't send it over WS. Always choose WSS.

Have you found similar vulnerabilities in your codebase? Share your experiences and security practices in the comments below. Stay secure, and happy coding!

View the Security Fix

Check out the pull request that fixed this vulnerability

View PR #3155
View Repository →

Related Articles

medium

Mass Assignment Vulnerability: Why Your Rails Models Need attr_accessible

A medium-severity mass assignment vulnerability was identified in a Ruby on Rails model that lacked proper attribute whitelisting via `attr_accessible` or strong parameters. Without this protection, attackers can manipulate any model attribute through crafted HTTP requests, potentially escalating privileges or corrupting data. The fix enforces explicit attribute allowlisting, closing the door on unauthorized mass assignment exploitation.

medium

Integer Overflow in Shared Memory Bounds Check: How a Missing Cast Opened the Door to Arbitrary Memory Writes

A subtle but dangerous integer overflow vulnerability was discovered in `lib/rpmi_shmem.c`, where bounds checks on shared memory operations could be silently bypassed due to 32-bit arithmetic overflow. By carefully crafting `offset` and `len` values, an OS-level or hypervisor-level caller could direct firmware writes to arbitrary memory addresses — including interrupt vector tables and security-critical configuration structures. The fix was elegantly simple: casting operands to 64-bit before add

medium

Buffer Overflow in Freestanding Runtime: How Unsafe strcpy() Puts Bare-Metal Systems at Risk

A critical buffer overflow vulnerability was discovered in the freestanding runtime's custom string library, where `strcpy()` and `memcpy()` implementations lacked any bounds checking whatsoever. In a bare-metal or kernel-like environment with no OS-level memory protection, this flaw could allow an attacker to overwrite adjacent memory regions — including function pointers and security-critical state — with arbitrary data. The fix introduces a safe `strlcpy()` implementation that enforces destin

medium

Integer Overflow in Packet Reassembly: How One Missing Check Enables Heap Corruption

A critical heap buffer overflow vulnerability was discovered in the network packet reassembly function of `net_channel_ex.c`, where an attacker-controlled `bodylen` field could be used to corrupt heap memory without any bounds validation. The fix introduces a simple yet effective integer overflow check before accumulating packet body lengths, preventing malformed packets from triggering memory corruption. This type of vulnerability is a stark reminder that even low-level arithmetic operations in

medium

Buffer Overflow via Unsafe sprintf() in C Game Menu: How Shared Campaign Files Could Lead to Code Execution

A series of unbounded `sprintf()` calls in `src/mainmenu.c` created a realistic buffer overflow attack chain, allowing an attacker to craft a malicious campaign file that triggers arbitrary code execution when loaded by a victim. The fix replaces each unsafe `sprintf()` with `snprintf()`, enforcing strict buffer size limits and eliminating the overflow conditions. Because campaign files are routinely shared in game communities, this vulnerability required no special access and posed a significan

medium

HTTP Basic Auth Over Plain HTTP: How ESP32 Credentials Were Exposed on Your Wi-Fi

A medium-severity vulnerability in the ESP32-audioI2S library allowed audio streaming credentials to be transmitted via HTTP Basic Authentication over unencrypted HTTP connections, making them trivially recoverable by anyone on the same network. The fix gates the Authorization header behind an SSL/TLS check, ensuring credentials are only sent when the connection is encrypted. For embedded IoT devices where credentials are often hardcoded in firmware, this kind of passive interception risk is esp