---
id: "prereq-websocket-security"
type: "prereq"
source_timestamps: ["00:15:48"]
tags: ["cybersecurity", "web-protocols"]
related: ["concept-cswsh-vulnerability"]
reason: "Explains the specific mechanism that allowed remote attackers to gain local code execution on OpenClaw instances."
sources: ["s16-openclaw-saga"]
sourceVaultSlug: "s16-openclaw-saga"
originDay: 16
---
# WebSocket Origin Validation

## Why You Need This

Understanding the [[concept-cswsh-vulnerability]] requires familiarity with how WebSockets work and what protections they require.

## Key Mechanics

- WebSockets establish persistent, bidirectional connections initiated via an HTTP upgrade handshake
- Unlike normal CORS-protected fetch requests, WebSockets are **not subject to the Same-Origin Policy** by default
- The server must **explicitly validate the `Origin` header** during the handshake
- If the server skips this check, **any web page** the user visits can open a WebSocket to the user's locally-running service

## The OpenClaw Failure Mode

1. Victim runs [[concept-openclaw-d16]] on localhost
2. Victim visits an attacker-controlled webpage
3. The page opens a WebSocket to `ws://localhost:<port>/`
4. OpenClaw server **does not validate Origin**
5. Attacker's JS now has an authenticated channel to the gateway
6. → token theft → safety controls disabled → one-click RCE

## Reference

- RFC 6455 (the WebSocket protocol)
- OWASP CSWSH cheat sheet

## Related Action

[[action-audit-agent-security]] — agent operators must explicitly verify Origin validation.