We take security seriously. If you believe you have discovered a vulnerability, please file an issue.
WebSockets are not inherantly dangerous, but what comes out of them might well be.
In order to avoid data poisoning attacks, please never directly run any code from the internet that you do not trust.
Please also assume all WebSockets are untrustworthy.
There are a few easy ways to do this.
WebSocket responses should never:
- Be piped into
Invoke-Expression
- Be expanded with
.ExpandString
- Be directly placed into a
SQL
query