Home

Awesome

Websocket Fuzzer

A simple websocket fuzzer for application penetration testing.

Three tools are provided:

All tools require considerable customization to be used. Please read the source code comments in both files to better understand all the parameters.

Installation and usage

pip install -r requirements.txt

# edit send-one-message.py
python send-one-message.py

In most cases you'll want to use a proxy, such as OWASP ZAP or Burp Suite, to analyze the websocket traffic generated by these tools. Both tools support proxying the websocket traffic.

The workflow for these tools is fairly simple:

Authentication

The tools support authenticating using user-defined websocket messages. These messages are sent before the ones with the payloads.

Logging

All messages are logged to a user-defined directory. Each connection is logged to a different file. Detailed logging is very important for this tool, since it allows the user to run grep on the output to find interesting things.

Fuzzing

The tool was developed for fuzzing websocket applications which use JSON as a serialization method. If this is not the case for you, please customize the following functions:

* `create_tokenized_messages`
* `replace_token_in_json`