Coverage Reference

v4 Issue Classes

The strongest WSHawk findings in v4 usually come from replay, AuthZ diffing, race testing, and evidence review.

Cross-Tenant or Cross-Role Authorization Exposure

HIGH / CRITICAL
WSH-V4-001

Description: The same HTTP or WebSocket action behaves differently across identities in a way that exposes data or state changes to the wrong user.

Remediation: Enforce server-side object, tenant, and role authorization on every action. Do not rely on client-provided identifiers alone.

Duplicate Execution and Race Windows

HIGH / CRITICAL
WSH-V4-002

Description: Parallel or replayed actions are accepted more than once because the backend invalidates state too late or not at all.

Remediation: Add idempotency, atomic invalidation, and server-side duplicate protection for state-changing actions.

Cross-Site WebSocket Hijacking (CSWSH)

HIGH
WSH-V4-003

Description: The server accepts WebSocket connections from untrusted origins or fails to bind the handshake tightly enough to the real session context.

Remediation: Validate Origin strictly, bind sessions correctly, and avoid relying on cookies without proper cross-site protections.

Injection and Parser Abuse

HIGH / CRITICAL
WSH-V4-004

Description: Structured message fields can trigger SQLi, NoSQLi, command injection, traversal, SSTI, or related parser abuse when replayed or fuzzed.

Remediation: Use strict input handling, parameterized queries, and safe server-side parsing instead of string-built execution paths.

XSS with Browser-Side Evidence

MEDIUM / CRITICAL
WSH-V4-005

Description: Reflected or DOM-style payloads execute in a client-side context and can be supported with browser-assisted evidence.

Remediation: Apply context-correct output encoding, safe DOM usage, and CSP that matches the target deployment model.

Blind SSRF and XXE

HIGH / CRITICAL
WSH-V4-006

Description: The backend makes unexpected outbound requests or resolves attacker-controlled references without returning useful proof in-band.

Remediation: Lock down XML parsers, enforce egress controls, and validate outbound request destinations.

Session and Identity Misuse

HIGH
WSH-V4-007

Description: Captured sessions, stale tokens, or browser-derived identity context can be replayed more widely than intended.

Remediation: Tighten token scope, invalidation timing, server-side session checks, and per-action authorization enforcement.