# Websockets ## What is a websocket A WebSocket is a communication protocol that provides full-duplex communication channels over a single, long-lived connection. Unlike traditional web communication, where a client sends a request and waits for a response, WebSocket allows for real-time, bidirectional communication between a client (like a web browser) and a server.\ This enables more interactive and dynamic web applications, as data can be sent and received at any time without the need to repeatedly establish new connections.\ WebSockets are commonly used in applications that require low-latency communication, such as online gaming, live chat, or financial trading platforms. ## Websocket security WebSocket implementations can be vulnerable to security issues if not properly configured or if there are flaws in the implementation.\ Some common security considerations for WebSockets include: * Cross-Site WebSocket Hijacking (CSWSH): This occurs when an attacker tricks a user's browser into making an unintended WebSocket connection to a malicious server. Developers should implement proper origin checks and validation to prevent this. * Cross-Site Scripting (XSS): If an application is vulnerable to XSS attacks, attackers might inject malicious scripts into WebSocket messages, leading to potential security risks. Input validation and encoding should be used to mitigate XSS vulnerabilities. * Denial-of-Service (DoS) Attacks: WebSocket connections can be a target for DoS attacks, such as resource exhaustion attacks. Implementing rate limiting and connection throttling mechanisms can help mitigate these risks. * Insecure Transport: If WebSockets are not implemented over secure connections (HTTPS), there is a risk of data interception and man-in-the-middle attacks. Using WSS (WebSocket Secure) over TLS/SSL is recommended for securing WebSocket connections. * Authentication and Authorization Issues: Failing to properly authenticate and authorize users can lead to unauthorized access to WebSocket resources. Implement strong authentication mechanisms and ensure that only authorized users can establish WebSocket connections. * Data Validation and Sanitization: Ensure that data sent over WebSockets is validated and sanitized on the server side to prevent injection attacks and other malicious activities. * WebSockets with Same-Origin Policy Bypass: Developers should be cautious about potential security issues related to the same-origin policy. Properly configure CORS (Cross-Origin Resource Sharing) headers to control which origins are allowed to connect to the WebSocket server. ## Tools ### STEWS See my page about this tool [here](https://csbygb.gitbook.io/pentips/tools/stews) ### Websocat See my page about this tool [here](https://csbygb.gitbook.io/pentips/tools/websocat) ## Resources * [Websockets on Portswigger (with a few labs to practice)](https://portswigger.net/web-security/websockets) * [Websocket attacks on hacktricks](https://book.hacktricks.xyz/pentesting-web/websocket-attacks) * [A pentester's guide to websocket pentesting on cobalt](https://www.cobalt.io/blog/a-pentesters-guide-to-websocket-pentesting) * [Websocket pentesting on exploit notes](https://exploit-notes.hdks.org/exploit/web/websocket-pentesting/) * [Everything you need to know about web socket pentesting Appknox](https://www.appknox.com/blog/everything-you-need-to-know-about-web-socket-pentesting) * [Testing websocket - OWASP](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/10-Testing_WebSockets) * [AZ of websocket pentesting - Certcube](https://blog.certcube.com/a-z-of-websocket-pentetsting/) * [Manipulating the websocket handshake to exploit vulnerabilities - infosecwriteups](https://infosecwriteups.com/manipulating-the-websocket-handshake-to-exploit-vulnerabilities-7f8dc3504e9c) * [Websockets in web app pentesting - cyberw1ng](https://cyberw1ng.medium.com/web-sockets-in-web-app-penetration-testing-2023-cdc18850921b) * [Websocket pentesting with wsrepl](https://blog.doyensec.com/2023/07/18/streamlining-websocket-pentesting-with-wsrepl.html) * [Cross Site Websocket Hijacking - n3t-hunter](https://n3t-hunt3r.gitbook.io/pentest-book/web-application-pentesting/cross-site-websocket-hijacking-cswsh) * [Testing workflow websockets - Portswigger](https://portswigger.net/burp/documentation/desktop/testing-workflow/websockets) * [Websockets - Payload all the things](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Web%20Sockets/README.md) * [Websocket vulnerabilities - cobalt](https://www.cobalt.io/blog/web-socket-vulnerabilites) * [Pentesting websockets - Virtue Security](https://www.virtuesecurity.com/pentesting-websockets/) * [Websocket are fun - zsec](https://blog.zsec.uk/websockets-are-fun/) * [mitmws, A new way to pentest websocket Applications - Appsec Village](https://www.appsecvillage.com/events/dc-2023/mitmws-a-new-way-to-pentest-websocket-applications-491242) * [Websocket security top vulnerabilities - Brightsec](https://brightsec.com/blog/websocket-security-top-vulnerabilities/) * [Socketsleuth Improving security testing for websocket applications](https://snyk.io/fr/blog/socketsleuth-improving-security-testing-for-websocket-applications/) * [Streamlining websocket pentesting with wsrepl - Doyensec](https://blog.doyensec.com/2023/07/18/streamlining-websocket-pentesting-with-wsrepl.html) * [wsrepl](https://github.com/doyensec/wsrepl) * [Cross-site WebSocket hijacking (CSWSH) | RC4 encryption - Kevin Vanegas](https://www.linkedin.com/pulse/cross-site-websocket-hijacking-cswsh-rc4-encryption-kevin-vanegas/) * [HackMyVM Inkplot walkthrough | Cross-site WebSocket hijacking (CSWSH) | RC4 encryption - Kevin Vanegas](https://youtu.be/OKY-Wd1JaTk?si=hvVMZNmlA-daOmSV) * [How to hack websockets and socket io - Black Hills Information Security](https://www.blackhillsinfosec.com/how-to-hack-websockets-and-socket-io/) * [GoTestWAF](https://github.com/wallarm/gotestwaf) * [Awesome WebSockets Security](https://github.com/PalindromeLabs/awesome-websocket-security) * [STEWS - A Security Tool For Enumerating WebSockets](https://www.kitploit.com/2021/12/stews-security-tool-for-enumerating.html) * [Stable 35 Old Tools New Tricks Hacking WebSockets Michael Fowl Nick Defoe](https://video.hacking.reviews/2019/09/stable-35-old-tools-new-tricks-hacking.html) * [Cross-Site WebSocket Hijacking (CSWSH) - Christian Schneider](https://christian-schneider.net/CrossSiteWebSocketHijacking.html) * [Websocket Fuzzer - Andres Riancho](https://github.com/andresriancho/websocket-fuzzer) * [Hacking web socket - Qualys - BH 2012 Slides](https://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf) * [websocket smuggle - challenge by 0ang3l](https://github.com/0ang3el/websocket-smuggle) * [Websockets Playground (script to easily jump start multiple local WebSocket servers in parallel)](https://github.com/PalindromeLabs/WebSockets-Playground) * [Automating Blind SQL injection over WebSocket - Rayhan0x01](https://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket-automation.html)