security websocket websockets security-tools websocket-security websockets-security web-application-security

Awesome WebSockets Security

A collection of CVEs, research, and reference materials related to WebSocket security

WebSocket Library Vulnerabilities

This list of vulnerabilities attempts to capture WebSocket CVEs and related issues in commonly encountered WebSockets server implementations.

CVE ID	Vulnerable package	Related writeup	Vulnerability summary
CVE-2021-42340	Tomcat	Apache mailing list	DoS memory leak
CVE-2021-33880	Python websockets	GitHub Advisory	HTTP basic auth timing attack
CVE-2021-32640	ws	GitHub Advisory	Regex backtracking Denial of Service
CVE-2020-36406	uWebSockets	OSS Fuzz Summary	Stack buffer overflow
CVE-2020-27813	Gorilla	GitHub Advisory	Integer overflow
CVE-2020-24807	socket.io-file	Auxilium Security	File type restriction bypass
CVE-2020-15779	socket.io-file	Auxilium Security	Path traversal
CVE-2020-15134	faye-websocket	GitHub advisory	Lack of TLS certificate validation
CVE-2020-15133	faye-websocket	GitHub advisory	Lack of TLS certificate validation
CVE-2020-11050	Java WebSocket	GitHub advisory	SSL hostname validation not performed
CVE-2020-7663	Ruby websocket-extensions	Writeup	Regex backtracking Denial of Service
CVE-2020-7662	npm websocket-extensions	Writeup	Regex backtracking Denial of Service
None	Socket.io	GitHub Issue	CORS misconfiguration
CVE-2018-1000518	Python websockets	GitHub PR	DoS via memory exhaustion when decompressing compressed data
None	Tornado	GitHub PR	DoS via memory exhaustion when decompressing compressed data
CVE-2018-21035	Qt WebSockets	Bug report	Denial of service due large limit on message and frame size
CVE-2017-16031	socket.io	GitHub Issue	Socket IDs use predictable random numbers
CVE-2016-10544	uWebSockets	npm advisory	Denial of service due to large limit on message size
CVE-2016-10542	NodeJS ws	npm advisory	Denial of service due to large limit on message size
None	draft-hixie-thewebsocketprotocol-76	Writeup

Conference Talks, Papers, Notable Blog Posts

2011

Talking to Yourself for Fun and Profit Paper

2012

Blackhat 2012 - Mike Shema, Sergey Shekyan, Vaagn Toukharian - Hacking with WebSockets Video

2019

Hacktivity 2019 - Mikhail Egorov - What’s Wrong with WebSocket APIs? Unveiling Vulnerabilities in WebSocket APIs Video
DerbyCon 2019 - Michael Fowl, Nick Defoe - Old Tools New Tricks Hacking WebSockets Video

2021

OWASP Global AppSec US 2021 - Erik Elbieh - We’re not in HTTP anymore: Investigating WebSocket Server Security Tool Paper Video

Common WebSocket Weaknesses

Unencrypted WebSockets

Black Hills WebSocket testing guide: Link

Cross-Site WebSocket Hijacking (CSWSH)

Original CSWSH blog post by Christian Schneider: Link
PortSwigger Web Academy CSWSH lab: Link

Insecure Authentication Mechanism

Stratum Security blog post: Link
Heroku WebSocket Security: Link

Reverse Proxy Bypass using Upgrade Header

Mikhail Egorov's initial PoC from Hacktivity 2019: Link
Jake Miller's HTTP 2 smuggling tool based on Mikhail's PoC work: Link
AssetNote blog post with golang h2smuggler tool: Link

DOM-based WebSocket-URL poisoning

Portswigger summary: Link

Useful Blog Posts & Resources

Portscanning using WebSockets Link
WebSocket fuzzing with Kitty fuzzing framework Link
WebSocket fuzzing harness Link
Project Zero WebSockets-based buffer overflow Link
Reserved Extension, Subprotocol values Link

WebSocket Security Tools

Discovery, Fingerprinting, Vulnerability Detection

STEWS GitHub

Fuzzing

websocket-fuzzer GitHub
websocket-harness GitHub

Playgrounds

DVWS: A purposefully vulnerable WebSocket demo GitHub
WebSocket-Playground: Jumpstart multiple WebSockets servers GitHub

General Utilities & Tools

WebSocket King in-browser tool
Hoppscotch.io in-browser tool
websocat GitHub
wsd GitHub

Bug Bounty Writeups

CSWSH bugs

Slack H1 #207170: CSWSH (plus an additional writeup)
Facebook: CSWSH
Stripo H1 #915541: CSWSH
Coda H1 #535436: CSWSH
Legal Robot #211283: CSWSH
Legal Robot H1 #274324: CSWSH
Grammarly #395729: CSWSH
Undisclosed target: CSWSH
Undisclosed target: CSWSH

Other bugs

PlayStation H1 #873614: Remote code execution over WebSockets
Shopify H1 #409701: SSRF over WebSockets
QIWI H1 #512065: DOM XSS over WebSockets
NodeJS H1 #868834: DoS because no timeout to close unresponsive connections
Bitwala H1 #862835: Broken authentication
Shopify H1 #1023669: Broken authentication
Legal Robot H1 #163464: Information leak
GitHub H1 #854439: Arbitrary SQL queries via injection
Undisclosed target: IDOR over WebSockets
Undisclosed target on BugCrowd: XSS over WebSockets

About

Awesome information for WebSockets security research