Git Product home page Git Product logo

websocket-fuzzer's Introduction

Websocket Fuzzer

A simple websocket fuzzer for application penetration testing.

Two tools are provided:

  • websocket-fuzzer.py: Receives a websocket message, modifies it, and then sends it in different connections. The response is analyzed to find potential vulnerabilities.

  • send-one-message.py: Sends a websocket message using a new connection

Both tools require considerable customization to be used. Please read the source code comments in both files to better understand all the parameters.

Installation and usage

pip install -r requirements.txt

# edit send-one-message.py
python send-one-message.py

In most cases you'll want to use a proxy, such as OWASP ZAP or Burp Suite, to analyze the websocket traffic generated by these tools. Both tools support proxying the websocket traffic.

The workflow for these tools is fairly simple:

  • Use send-one-message.py to define most of the variables, make sure that authentication is working, etc. Confirm all this with the logs and traffic seen in the local proxy.

  • Move the send-one-message.py configuration to websocket-fuzzer.py and customize the remaining parameters. Start the process and confirm that the fuzzer is sending what you expect.

  • Customize the payloads which are sent to the target using payloads/payloads.txt

  • Analyze the logs using grep to find specific things you're looking for. The tool will try to identify issues for you and log them with Potential issue found in connection with ID

Authentication

The tools support authenticating using user-defined websocket messages. These messages are sent before the ones with the payloads.

Logging

All messages are logged to a user-defined directory. Each connection is logged to a different file. Detailed logging is very important for this tool, since it allows the user to run grep on the output to find interesting things.

Fuzzing

The tool was developed for fuzzing websocket applications which use JSON as a serialization method. If this is not the case for you, please customize the following functions:

* `create_tokenized_messages`
* `replace_token_in_json`

websocket-fuzzer's People

Contributors

andresriancho avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.