awesome-websocket-security
WebSocket security info
A collection of resources and research on vulnerabilities and security best practices for WebSockets
Awesome information for WebSockets security research
254 stars
12 watching
26 forks
last commit: almost 4 years ago
Linked from 1 awesome list
securitysecurity-toolsweb-application-securitywebsocketwebsocket-securitywebsocketswebsockets-security
Awesome WebSockets Security / WebSocket Library Vulnerabilities | |||
| CVE-2021-42340 | |||
| Tomcat | 17,520 | 11 months ago | |
| Apache mailing list | |||
| CVE-2021-33880 | |||
| Python websockets | 5,242 | 11 months ago | |
| GitHub Advisory | |||
| CVE-2021-32640 | |||
| ws | 21,839 | about 1 year ago | |
| GitHub Advisory | 21,839 | about 1 year ago | |
| CVE-2020-36406 | |||
| uWebSockets | 17,520 | 11 months ago | |
| OSS Fuzz Summary | 138 | 11 months ago | |
| CVE-2020-27813 | |||
| Gorilla | 22,625 | about 1 year ago | |
| GitHub Advisory | 22,625 | about 1 year ago | |
| CVE-2020-24807 | |||
| socket.io-file | 48 | almost 6 years ago | |
| Auxilium Security | |||
| CVE-2020-15779 | |||
| socket.io-file | 48 | almost 6 years ago | |
| Auxilium Security | |||
| CVE-2020-15134 | |||
| faye-websocket | 1,040 | about 2 years ago | |
| GitHub advisory | 4,393 | over 1 year ago | |
| CVE-2020-15133 | |||
| faye-websocket | 1,040 | about 2 years ago | |
| GitHub advisory | 1,040 | about 2 years ago | |
| CVE-2020-11050 | |||
| Java WebSocket | |||
| GitHub advisory | 10,557 | 11 months ago | |
| CVE-2020-7663 | |||
| Ruby websocket-extensions | |||
| Writeup | |||
| CVE-2020-7662 | |||
| npm websocket-extensions | |||
| Writeup | |||
| Socket.io | 61,369 | 11 months ago | |
| GitHub Issue | 61,369 | 11 months ago | |
| CVE-2018-1000518 | |||
| Python websockets | 5,242 | 11 months ago | |
| GitHub PR | 5,242 | 11 months ago | |
| Tornado | 21,787 | 11 months ago | |
| GitHub PR | 21,787 | 11 months ago | |
| CVE-2018-21035 | |||
| Qt WebSockets | |||
| Bug report | |||
| CVE-2017-16031 | |||
| socket.io | |||
| GitHub Issue | 61,369 | 11 months ago | |
| CVE-2016-10544 | |||
| uWebSockets | 17,520 | 11 months ago | |
| npm advisory | |||
| CVE-2016-10542 | |||
| NodeJS ws | |||
| npm advisory | |||
| draft-hixie-thewebsocketprotocol-76 | |||
| Writeup | |||
Awesome WebSockets Security / 2011 | |||
| Paper | Talking to Yourself for Fun and Profit | ||
Awesome WebSockets Security / 2011 / 2012 | |||
| Video | Blackhat 2012 - Mike Shema, Sergey Shekyan, Vaagn Toukharian - Hacking with WebSockets | ||
Awesome WebSockets Security / 2011 / 2019 | |||
| Video | Hacktivity 2019 - Mikhail Egorov - What’s Wrong with WebSocket APIs? Unveiling Vulnerabilities in WebSocket APIs | ||
| Video | DerbyCon 2019 - Michael Fowl, Nick Defoe - Old Tools New Tricks Hacking WebSockets | ||
Awesome WebSockets Security / 2011 / 2021 | |||
| Tool | 337 | almost 4 years ago | OWASP Global AppSec US 2021 - Erik Elbieh - We’re not in HTTP anymore: Investigating WebSocket Server Security |
Awesome WebSockets Security / Common WebSocket Weaknesses / Unencrypted WebSockets | |||
| Link | Black Hills WebSocket testing guide: | ||
Awesome WebSockets Security / Common WebSocket Weaknesses / Cross-Site WebSocket Hijacking (CSWSH) | |||
| Link | Original CSWSH blog post by Christian Schneider: | ||
| Link | PortSwigger Web Academy CSWSH lab: | ||
Awesome WebSockets Security / Common WebSocket Weaknesses / Insecure Authentication Mechanism | |||
| Link | Stratum Security blog post: | ||
| Link | Heroku WebSocket Security: | ||
Awesome WebSockets Security / Common WebSocket Weaknesses / Reverse Proxy Bypass using Upgrade Header | |||
| Link | 341 | about 1 year ago | Mikhail Egorov's initial PoC from Hacktivity 2019: |
| Link | 661 | over 3 years ago | Jake Miller's HTTP 2 smuggling tool based on Mikhail's PoC work: |
| Link | AssetNote blog post with golang h2smuggler tool: | ||
Awesome WebSockets Security / DOM-based WebSocket-URL poisoning | |||
| Link | Portswigger summary: | ||
Awesome WebSockets Security / Useful Blog Posts & Resources | |||
| Link | Portscanning using WebSockets | ||
| Link | WebSocket fuzzing with Kitty fuzzing framework | ||
| Link | WebSocket fuzzing harness | ||
| Link | Project Zero WebSockets-based buffer overflow | ||
| Link | Reserved Extension, Subprotocol values | ||
Awesome WebSockets Security / WebSocket Security Tools / Discovery, Fingerprinting, Vulnerability Detection | |||
| GitHub | 337 | almost 4 years ago | STEWS |
Awesome WebSockets Security / WebSocket Security Tools / Fuzzing | |||
| GitHub | 144 | almost 7 years ago | websocket-fuzzer |
| GitHub | 18 | about 6 years ago | websocket-harness |
Awesome WebSockets Security / WebSocket Security Tools / Playgrounds | |||
| GitHub | 346 | about 1 year ago | DVWS: A purposefully vulnerable WebSocket demo |
| GitHub | 30 | almost 4 years ago | WebSocket-Playground: Jumpstart multiple WebSockets servers |
Awesome WebSockets Security / WebSocket Security Tools / General Utilities & Tools | |||
| in-browser tool | WebSocket King | ||
| in-browser tool | Hoppscotch.io | ||
| GitHub | 7,234 | 12 months ago | websocat |
| GitHub | 416 | over 7 years ago | wsd |
Awesome WebSockets Security / Bug Bounty Writeups / CSWSH bugs | |||
| Slack H1 #207170 | : CSWSH (plus ) | ||
| : CSWSH | |||
| Stripo H1 #915541 | : CSWSH | ||
| Coda H1 #535436 | : CSWSH | ||
| Legal Robot #211283 | : CSWSH | ||
| Legal Robot H1 #274324 | : CSWSH | ||
| Grammarly #395729 | : CSWSH | ||
| Undisclosed target | : CSWSH | ||
| Undisclosed target | : CSWSH | ||
Awesome WebSockets Security / Bug Bounty Writeups / Other bugs | |||
| PlayStation H1 #873614 | : Remote code execution over WebSockets | ||
| Shopify H1 #409701 | : SSRF over WebSockets | ||
| QIWI H1 #512065 | : DOM XSS over WebSockets | ||
| NodeJS H1 #868834 | : DoS because no timeout to close unresponsive connections | ||
| Bitwala H1 #862835 | : Broken authentication | ||
| Shopify H1 #1023669 | : Broken authentication | ||
| Legal Robot H1 #163464 | : Information leak | ||
| GitHub H1 #854439 | : Arbitrary SQL queries via injection | ||
| Undisclosed target | : IDOR over WebSockets | ||
| Undisclosed target on BugCrowd | : XSS over WebSockets | ||
sbilly/awesome-security
socketio/socket.io-protocol
threadfin/threadfin
lesismal/nbio
ionicabizau/made-in-argentina
goadapp/goad
coder/websocket
chat-wane/sandedit
abdfnx/tran
iamcco/markdown-preview.nvim
gavv/httpexpect
emo-crab/observer_ward
dindaleon/hapi-react-starter-kit