In this article we are going to take a look at one of the newer technologies used in modern web applications, the “WebSockets” that were standardized by the Internet Engineering Task Force (IETF) in 2011.

Insecure Direct Object Reference, is a common web application vulnerability that allows an attacker to bypass mis-configured logical access controls and access sensitive data. In this article, we will step through looking at what IDOR is, how it can often be introduced as a vulnerability, how an attacker is able to exploit it, and how to defend against it.

Essentially a SPA is a client-side dynamic web application that makes a full HTML page load initially but thereafter responds to all DOM events initiated by actions such as clicking on links by dynamically rewriting the current web page, rather than the default method in a traditional “multi-page” web application of the browser loading entire new pages.

Cross-Site Tracing is a particularly elaborate vulnerability that, like cross-site scripting, involves the ability to move data between different origins (essential between different web sites, within the context of this article) in an exploitative way that bypasses controls intended to prevent such transfer.

In this article, we take a look at the security model that the Web Messaging API (a.k.a. “Cross-Document Messaging”) – is built on, why the security measures that it introduces are necessary, and some of the potential mis-configurations that can undermine the API’s security model.