Username Hash Found in WebSocket message

Risk:
Informational

Type:
WebSocket Passive

CWE:
CWE-284

Summary: A Example hash of {Example / context: Example} was found in incoming WebSocket message. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused.

Solution: Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object.

References

https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html

https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References

Free security scan for your website

Don't show website scan report rating on the leaderboard