Introduction

WebSocket is an application-layer protocol that enables two-way communication between WebSocket clients and servers. Understanding how WebSockets work will help us identify vulnerabilities in web applications that utilize them.

---

What are WebSockets?

The Problem with HTTP/1.1

Before HTTP/2, servers could only send data in response to a client's request. Servers had no means of pushing data to clients unconditionally.

HTTP/1.1 Chat Room Example

┌─────────────────────────────────────────────────────────────────────────┐
│                    HTTP/1.1 Chat (Polling Required)                     │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                         │
│  Alice sends message:                                                   │
│  POST /chat/bob {"message": "Hello Bob"} → Server → 200 OK             │
│                                                                         │
│  Bob must POLL for messages:                                           │
│  GET /messages → Server → {"messages": []}                             │
│  GET /messages → Server → {"messages": []}                             │
│  GET /messages → Server → {"messages": ["Hello Bob"]}  ← Finally!      │
│                                                                         │
│  Problem: Lots of unnecessary traffic, inefficient                     │
│                                                                         │
└─────────────────────────────────────────────────────────────────────────┘

WebSocket Solution

WebSocket enables full-duplex (bi-directional) message transmission:

• No polling required

• Messages sent/received instantly

• Connection remains open for extended period

• Either party can send data at any time

┌─────────────────────────────────────────────────────────────────────────┐
│                    WebSocket Chat (Real-time)                           │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                         │
│  Alice: GET /chat/bob → 101 Switching Protocols                        │
│  Bob:   GET /chat/alice → 101 Switching Protocols                      │
│                                                                         │
│  Alice sends "Hello Bob" ──────────→ Server ──────────→ Bob            │
│                           (instant, no polling!)                        │
│                                                                         │
└─────────────────────────────────────────────────────────────────────────┘

---

WebSocket Protocol Schemes

Scheme	Description
ws://	WebSocket over unencrypted HTTP (insecure)
wss://	WebSocket over encrypted HTTPS (secure)

• HTTP server → typically ws:// (insecure)

• HTTPS server → should use wss:// (encrypted)

---

WebSocket Connection Establishment

Step 1: Client Initiates Handshake

JavaScript example:

const socket = new WebSocket('ws://websockets.htb/echo');

HTTP request sent:

GET /echo HTTP/1.1
Host: websockets.htb
Connection: Upgrade
Upgrade: websocket
Sec-WebSocket-Version: 13
Sec-WebSocket-Key: 7QpTshdCiQfiv3tH7myJ1g==
Origin: http://websockets.htb

Important Request Headers

Header	Value	Purpose
Connection	Upgrade	Indicates intent to upgrade connection
Upgrade	websocket	Specifies WebSocket protocol
Sec-WebSocket-Version	13	WebSocket protocol version (13 is latest)
Sec-WebSocket-Key	<unique_value>	Confirms client wants WebSocket (no security)
Origin	http://websockets.htb	Used for security purposes

Step 2: Server Responds

HTTP/1.1 101 Switching Protocols
Connection: Upgrade
Upgrade: websocket
Sec-WebSocket-Accept: QU/gD/2y41z9ygrOaGWgaC+Pm2M=

Response Headers

Header	Value	Purpose
Status	101 Switching Protocols	WebSocket connection established
Connection	Upgrade	Confirms upgrade
Upgrade	websocket	Confirms WebSocket
Sec-WebSocket-Accept	<derived_value>	Derived from client's Sec-WebSocket-Key; confirms server accepts

Step 3: Connection Established

After server response, WebSocket connection is open. Messages can be exchanged freely in both directions!

---

Summary

┌─────────────────────────────────────────────────────────────────────────┐
│                      WebSocket Handshake Flow                           │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                         │
│  Client                                            Server               │
│    │                                                 │                  │
│    │──── GET /echo HTTP/1.1 ────────────────────────→│                  │
│    │     Connection: Upgrade                         │                  │
│    │     Upgrade: websocket                          │                  │
│    │     Sec-WebSocket-Key: xxx                      │                  │
│    │                                                 │                  │
│    │←─── HTTP/1.1 101 Switching Protocols ──────────│                  │
│    │     Sec-WebSocket-Accept: yyy                   │                  │
│    │                                                 │                  │
│    │═══════════ WebSocket Connection Open ══════════│                  │
│    │                                                 │                  │
│    │←────────────── Messages ──────────────────────→│                  │
│    │                                                 │                  │
└─────────────────────────────────────────────────────────────────────────┘