WebSockets simplify the communication between browsers and servers by overcoming some of the traditional restrictions. The WebSocket protocol uses application layer (L7) to allow a client and server to perform bidirectional (full duplix) communication. This makes it possible to create dynamic, real-time web applications such as instant messaging and photo sharing apps.
Virtually any web security vulnerability that arises with regular HTTP can also arise in relation to WebSockets communications. WebSocket hijacking attacks can lead to many vulnerabilities such as XSS, SQL injection, XXE, sensitive information disclosure, MiTM attacks, Denial of Service attacks etc. If exploitable, these attacks can lead to critical results.
See also: API Attack