The application's WebSocket implementation lacks proper authentication, authorization, or input validation, allowing unauthorized access or injection attacks through WebSocket connections.
An attacker could hijack WebSocket connections, perform cross-site WebSocket hijacking, inject malicious messages, intercept sensitive real-time data, or bypass origin-based access controls.
Validate the Origin header during WebSocket handshake. Implement authentication tokens for WebSocket connections. Apply input validation to all WebSocket messages. Use WSS (WebSocket Secure) protocol for encrypted transport.