After understanding how to test, analyze, and exploit WebSockets, let us discuss tools that automate much of the manual work. Moreover, we will learn about defensive techniques to prevent WebSocket vulnerabilities.
Command-line tool for WebSocket connections (like netcat for WebSockets).
Installation:
# Download precompiled binary
wget https://github.com/vi/websocat/releases/download/v1.11.0/websocat_max.x86_64-unknown-linux-musl
chmod +x websocat_max.x86_64-unknown-linux-muslUsage:
./websocat_max.x86_64-unknown-linux-musl ws://172.17.0.2/echoHello EchoServer!
Hello EchoServer!
Advanced options:
websocat --help=longAlternative command-line WebSocket tool. Install via npm:
npm install -g wscat
wscat -c ws://172.17.0.2/echoTool suite for fingerprinting WebSocket libraries and testing for CSWH vulnerabilities.
Repository: Contains fingerprint and vuln-detect modules.
Installation:
cd fingerprint
pip3 install -r requirements.txtUsage:
python3 STEWS-fingerprint.py -hOptions:
| Flag | Description |
|---|---|
-u URL |
Target URL (without scheme) |
-n |
Use ws:// instead of wss:// |
-a |
Run all tests |
-1 through -7 |
Run specific test series |
-k |
Ignore invalid SSL cert |
-o ORIGIN |
Set custom origin |
Example - Series 5 Tests:
python3 STEWS-fingerprint.py -u websockets.htb/messages -n -5=======================================================
>>>Most likely server: Faye, Gorilla, Java Spring boot, Python websockets, Python Tornado -- % match: 100.0
>>>Second most likely server: NodeJS ws, uWebSockets, Ratchet -- % match: 0.0
=======================================================
Note: Unknown libraries may produce inconsistent results across different test series.
Installation:
cd vuln-detect
pip3 install -r requirements.txtUsage:
python3 STEWS-vuln-detect.py -hTest Options:
| Flag | Description |
|---|---|
-1 |
Test for generic CSWSH |
-2 |
Test CVE-2021-32640 (ws Regex DoS) |
-3 |
Test CVE-2020-7662/7663 (faye Regex DoS) |
-4 |
Test CVE-2020-27813 (Gorilla DoS Integer Overflow) |
Example - CSWH Detection:
python3 STEWS-vuln-detect.py -n -u websockets.htb/messages -1Testing ws://websockets.htb/messages
>>>Note: ws://websockets.htb/messages allowed http or https for origin
>>>Note: ws://websockets.htb/messages allowed null origin
>>>Note: ws://websockets.htb/messages allowed unusual char (possible parse error)
>>>VANILLA CSWSH DETECTED: ws://websockets.htb/messages likely vulnerable to vanilla CSWSH (any origin)
Debug mode (show requests):
python3 STEWS-vuln-detect.py -n -u websockets.htb/messages -1 -d| Method | Description |
|---|---|
| Check Origin header | Validate Origin matches expected domain |
| CSRF tokens | Require token in WebSocket handshake |
| SameSite cookie flag | Set to Strict or Lax |
| Practice | Description |
|---|---|
Use wss:// over ws:// |
TLS encryption for all WebSocket traffic |
| Sanitize all input | Treat data from both directions as untrusted |
| SQL injection prevention | Use prepared statements for WS data in queries |
| XSS prevention | Sanitize before inserting into DOM |
| Server-side validation | Don't trust client data |
| Client-side validation | Don't trust server data |
┌─────────────────────────────────────────────────────────────────────────┐
│ WebSocket Security Checklist │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ Transport Security: │
│ □ Use wss:// (not ws://) │
│ □ Valid TLS certificate │
│ │
│ CSWH Prevention: │
│ □ Validate Origin header │
│ □ Implement CSRF tokens │
│ □ Set SameSite=Strict or Lax on session cookies │
│ │
│ Input Sanitization: │
│ □ Server: sanitize all client data │
│ □ Client: sanitize all server data │
│ □ Use prepared statements for SQL │
│ □ Encode output for XSS prevention │
│ │
│ Testing: │
│ □ Test with websocat/wscat │
│ □ Fingerprint with STEWS │
│ □ Check for CSWH with STEWS vuln-detect │
│ □ Manual Burp testing │
│ │
└─────────────────────────────────────────────────────────────────────────┘