The WebSocket protocol and security : best practices and worst weaknesses
1University of Oulu, Faculty of Information Technology and Electrical Engineering, Department of Information Processing Science, Information Processing Science
|Online Access:||PDF Full Text (PDF, 1.5 MB)|
|Persistent link:|| http://urn.fi/URN:NBN:fi:oulu-201603081281
|Publish Date:|| 2016-03-16
|Thesis type:||Master's thesis
Modern web applications need reliable communication between the servers and the clients in order to access information from databases or to insert user defined input into the applications. Even today, when the web sites are something completely different from what they were originally designed to be, they still rely on the original protocols. These protocols, e.g. HTML, have been updated a few times. The transition from HTML 4.1. to HTML5 introduced many new features and techniques, such as the WebSocket protocol. Auditing different protocols from the security perspective is one of the key methods for enhancing the reliability of the protocols under testing. The results provided by the testing often reveal vulnerabilities or at the very least suggestions for future development. These results are then assigned to the developers or the community and hopefully these issues are then addressed. In this thesis Design Science Research Methodology was used to research the WebSocket protocol and also a few commonly used server implementations for this protocol. Moreover, statistics on how widely WebSockets are used in web applications was also looked into. The research showed that the protocol in itself has dealt with the security aspect and that the protocol specification states clearly on how the protocol should work when applied according to the documentation. However, as there is a delicate balance between usability and security, the scale has favoured usability over security on a number of occasions by reducing the safety of the protocol to some degree.