Awesome

Awesome WebSockets Security

A collection of CVEs, research, and reference materials related to WebSocket security

WebSocket Library Vulnerabilities
Conference Talks
Common WebSocket Weaknesses
WebSocket Security Tools
Bug Bounty Writeups
Useful blog posts

<a name="websocket_library_vulnerabilities"></a>WebSocket Library Vulnerabilities

This list of vulnerabilities attempts to capture WebSocket CVEs and related issues in commonly encountered WebSockets server implementations.

CVE ID	Vulnerable package	Related writeup	Vulnerability summary
CVE-2021-42340	Tomcat	Apache mailing list	DoS memory leak
CVE-2021-33880	Python websockets	GitHub Advisory	HTTP basic auth timing attack
CVE-2021-32640	ws	GitHub Advisory	Regex backtracking Denial of Service
CVE-2020-36406	uWebSockets	OSS Fuzz Summary	Stack buffer overflow
CVE-2020-27813	Gorilla	GitHub Advisory	Integer overflow
CVE-2020-24807	socket.io-file	Auxilium Security	File type restriction bypass
CVE-2020-15779	socket.io-file	Auxilium Security	Path traversal
CVE-2020-15134	faye-websocket	GitHub advisory	Lack of TLS certificate validation
CVE-2020-15133	faye-websocket	GitHub advisory	Lack of TLS certificate validation
CVE-2020-11050	Java WebSocket	GitHub advisory	SSL hostname validation not performed
CVE-2020-7663	Ruby websocket-extensions	Writeup	Regex backtracking Denial of Service
CVE-2020-7662	npm websocket-extensions	Writeup	Regex backtracking Denial of Service
None	Socket.io	GitHub Issue	CORS misconfiguration
CVE-2018-1000518	Python websockets	GitHub PR	DoS via memory exhaustion when decompressing compressed data
None	Tornado	GitHub PR	DoS via memory exhaustion when decompressing compressed data
CVE-2018-21035	Qt WebSockets	Bug report	Denial of service due large limit on message and frame size
CVE-2017-16031	socket.io	GitHub Issue	Socket IDs use predictable random numbers
CVE-2016-10544	uWebSockets	npm advisory	Denial of service due to large limit on message size
CVE-2016-10542	NodeJS ws	npm advisory	Denial of service due to large limit on message size
None	draft-hixie-thewebsocketprotocol-76	Writeup

<a name="conference_talks"></a>Conference Talks, Papers, Notable Blog Posts

2011

Talking to Yourself for Fun and Profit Paper

2012

Blackhat 2012 - Mike Shema, Sergey Shekyan, Vaagn Toukharian - Hacking with WebSockets Video

2019

Hacktivity 2019 - Mikhail Egorov - What’s Wrong with WebSocket APIs? Unveiling Vulnerabilities in WebSocket APIs Video
DerbyCon 2019 - Michael Fowl, Nick Defoe - Old Tools New Tricks Hacking WebSockets Video

2021

OWASP Global AppSec US 2021 - Erik Elbieh - We’re not in HTTP anymore: Investigating WebSocket Server Security Tool Paper Video

<a name="common_websocket_weaknesses"></a>Common WebSocket Weaknesses

Unencrypted WebSockets

Black Hills WebSocket testing guide: Link

Cross-Site WebSocket Hijacking (CSWSH)

Original CSWSH blog post by Christian Schneider: Link
PortSwigger Web Academy CSWSH lab: Link

Insecure Authentication Mechanism

Stratum Security blog post: Link
Heroku WebSocket Security: Link

Reverse Proxy Bypass using Upgrade Header

Mikhail Egorov's initial PoC from Hacktivity 2019: Link
Jake Miller's HTTP 2 smuggling tool based on Mikhail's PoC work: Link
AssetNote blog post with golang h2smuggler tool: Link

DOM-based WebSocket-URL poisoning

Portswigger summary: Link

<a name="useful_blogs"></a>Useful Blog Posts & Resources

Portscanning using WebSockets Link
WebSocket fuzzing with Kitty fuzzing framework Link
WebSocket fuzzing harness Link
Project Zero WebSockets-based buffer overflow Link
Reserved Extension, Subprotocol values Link

<a name="websocket_security_tools"></a>WebSocket Security Tools

Discovery, Fingerprinting, Vulnerability Detection

STEWS GitHub

Fuzzing

websocket-fuzzer GitHub
websocket-harness GitHub

Playgrounds

DVWS: A purposefully vulnerable WebSocket demo GitHub
WebSocket-Playground: Jumpstart multiple WebSockets servers GitHub

General Utilities & Tools

WebSocket King in-browser tool
Hoppscotch.io in-browser tool
websocat GitHub
wsd GitHub

<a name="bug_bounty_writeups"></a>Bug Bounty Writeups

CSWSH bugs

Slack H1 #207170: CSWSH (plus an additional writeup)
Facebook: CSWSH
Stripo H1 #915541: CSWSH
Coda H1 #535436: CSWSH
Legal Robot #211283: CSWSH
Legal Robot H1 #274324: CSWSH
Grammarly #395729: CSWSH
Undisclosed target: CSWSH
Undisclosed target: CSWSH

Other bugs

PlayStation H1 #873614: Remote code execution over WebSockets
Shopify H1 #409701: SSRF over WebSockets
QIWI H1 #512065: DOM XSS over WebSockets
NodeJS H1 #868834: DoS because no timeout to close unresponsive connections
Bitwala H1 #862835: Broken authentication
Shopify H1 #1023669: Broken authentication
Legal Robot H1 #163464: Information leak
GitHub H1 #854439: Arbitrary SQL queries via injection
Undisclosed target: IDOR over WebSockets
Undisclosed target on BugCrowd: XSS over WebSockets