CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • What is a websocket
  • Websocket security
  • Tools
  • STEWS
  • Websocat
  • Resources
  1. Web Pentesting

Websockets

PreviousDocker exploitation and Docker vulnerabilitiesNextAndroid

Last updated 1 year ago

What is a websocket

A WebSocket is a communication protocol that provides full-duplex communication channels over a single, long-lived connection. Unlike traditional web communication, where a client sends a request and waits for a response, WebSocket allows for real-time, bidirectional communication between a client (like a web browser) and a server. This enables more interactive and dynamic web applications, as data can be sent and received at any time without the need to repeatedly establish new connections. WebSockets are commonly used in applications that require low-latency communication, such as online gaming, live chat, or financial trading platforms.

Websocket security

WebSocket implementations can be vulnerable to security issues if not properly configured or if there are flaws in the implementation. Some common security considerations for WebSockets include:

  • Cross-Site WebSocket Hijacking (CSWSH): This occurs when an attacker tricks a user's browser into making an unintended WebSocket connection to a malicious server. Developers should implement proper origin checks and validation to prevent this.

  • Cross-Site Scripting (XSS): If an application is vulnerable to XSS attacks, attackers might inject malicious scripts into WebSocket messages, leading to potential security risks. Input validation and encoding should be used to mitigate XSS vulnerabilities.

  • Denial-of-Service (DoS) Attacks: WebSocket connections can be a target for DoS attacks, such as resource exhaustion attacks. Implementing rate limiting and connection throttling mechanisms can help mitigate these risks.

  • Insecure Transport: If WebSockets are not implemented over secure connections (HTTPS), there is a risk of data interception and man-in-the-middle attacks. Using WSS (WebSocket Secure) over TLS/SSL is recommended for securing WebSocket connections.

  • Authentication and Authorization Issues: Failing to properly authenticate and authorize users can lead to unauthorized access to WebSocket resources. Implement strong authentication mechanisms and ensure that only authorized users can establish WebSocket connections.

  • Data Validation and Sanitization: Ensure that data sent over WebSockets is validated and sanitized on the server side to prevent injection attacks and other malicious activities.

  • WebSockets with Same-Origin Policy Bypass: Developers should be cautious about potential security issues related to the same-origin policy. Properly configure CORS (Cross-Origin Resource Sharing) headers to control which origins are allowed to connect to the WebSocket server.

Tools

STEWS

See my page about this tool

Websocat

Resources

See my page about this tool

here
here
Websockets on Portswigger (with a few labs to practice)
Websocket attacks on hacktricks
A pentester's guide to websocket pentesting on cobalt
Websocket pentesting on exploit notes
Everything you need to know about web socket pentesting Appknox
Testing websocket - OWASP
AZ of websocket pentesting - Certcube
Manipulating the websocket handshake to exploit vulnerabilities - infosecwriteups
Websockets in web app pentesting - cyberw1ng
Websocket pentesting with wsrepl
Cross Site Websocket Hijacking - n3t-hunter
Testing workflow websockets - Portswigger
Websockets - Payload all the things
Websocket vulnerabilities - cobalt
Pentesting websockets - Virtue Security
Websocket are fun - zsec
mitmws, A new way to pentest websocket Applications - Appsec Village
Websocket security top vulnerabilities - Brightsec
Socketsleuth Improving security testing for websocket applications
Streamlining websocket pentesting with wsrepl - Doyensec
wsrepl
Cross-site WebSocket hijacking (CSWSH) | RC4 encryption - Kevin Vanegas
HackMyVM Inkplot walkthrough | Cross-site WebSocket hijacking (CSWSH) | RC4 encryption - Kevin Vanegas
How to hack websockets and socket io - Black Hills Information Security
GoTestWAF
Awesome WebSockets Security
STEWS - A Security Tool For Enumerating WebSockets
Stable 35 Old Tools New Tricks Hacking WebSockets Michael Fowl Nick Defoe
Cross-Site WebSocket Hijacking (CSWSH) - Christian Schneider
Websocket Fuzzer - Andres Riancho
Hacking web socket - Qualys - BH 2012 Slides
websocket smuggle - challenge by 0ang3l
Websockets Playground (script to easily jump start multiple local WebSocket servers in parallel)
Automating Blind SQL injection over WebSocket - Rayhan0x01