awesome-websocket-security

WebSocket security info

A collection of resources and research on vulnerabilities and security best practices for WebSockets

Awesome information for WebSockets security research

GitHub

252 stars
12 watching
25 forks
last commit: almost 3 years ago
Linked from 1 awesome list

securitysecurity-toolsweb-application-securitywebsocketwebsocket-securitywebsocketswebsockets-security

Awesome WebSockets Security / WebSocket Library Vulnerabilities

CVE-2021-42340
Tomcat 17,416 8 days ago
Apache mailing list
CVE-2021-33880
Python websockets 5,232 6 days ago
GitHub Advisory
CVE-2021-32640
ws 21,752 28 days ago
GitHub Advisory 21,752 28 days ago
CVE-2020-36406
uWebSockets 17,416 8 days ago
OSS Fuzz Summary 133 6 days ago
CVE-2020-27813
Gorilla 22,445 3 months ago
GitHub Advisory 22,445 3 months ago
CVE-2020-24807
socket.io-file 48 about 5 years ago
Auxilium Security
CVE-2020-15779
socket.io-file 48 about 5 years ago
Auxilium Security
CVE-2020-15134
faye-websocket 1,038 about 1 year ago
GitHub advisory 4,391 5 months ago
CVE-2020-15133
faye-websocket 1,038 about 1 year ago
GitHub advisory 1,038 about 1 year ago
CVE-2020-11050
Java WebSocket
GitHub advisory 10,530 9 days ago
CVE-2020-7663
Ruby websocket-extensions
Writeup
CVE-2020-7662
npm websocket-extensions
Writeup
Socket.io 61,208 30 days ago
GitHub Issue 61,208 30 days ago
CVE-2018-1000518
Python websockets 5,232 6 days ago
GitHub PR 5,232 6 days ago
Tornado 21,748 24 days ago
GitHub PR 21,748 24 days ago
CVE-2018-21035
Qt WebSockets
Bug report
CVE-2017-16031
socket.io
GitHub Issue 61,208 30 days ago
CVE-2016-10544
uWebSockets 17,416 8 days ago
npm advisory
CVE-2016-10542
NodeJS ws
npm advisory
draft-hixie-thewebsocketprotocol-76
Writeup

Awesome WebSockets Security / 2011

Paper Talking to Yourself for Fun and Profit

Awesome WebSockets Security / 2011 / 2012

Video Blackhat 2012 - Mike Shema, Sergey Shekyan, Vaagn Toukharian - Hacking with WebSockets

Awesome WebSockets Security / 2011 / 2019

Video Hacktivity 2019 - Mikhail Egorov - What’s Wrong with WebSocket APIs? Unveiling Vulnerabilities in WebSocket APIs
Video DerbyCon 2019 - Michael Fowl, Nick Defoe - Old Tools New Tricks Hacking WebSockets

Awesome WebSockets Security / 2011 / 2021

Tool 334 almost 3 years ago OWASP Global AppSec US 2021 - Erik Elbieh - We’re not in HTTP anymore: Investigating WebSocket Server Security

Awesome WebSockets Security / Common WebSocket Weaknesses / Unencrypted WebSockets

Link Black Hills WebSocket testing guide:

Awesome WebSockets Security / Common WebSocket Weaknesses / Cross-Site WebSocket Hijacking (CSWSH)

Link Original CSWSH blog post by Christian Schneider:
Link PortSwigger Web Academy CSWSH lab:

Awesome WebSockets Security / Common WebSocket Weaknesses / Insecure Authentication Mechanism

Link Stratum Security blog post:
Link Heroku WebSocket Security:

Awesome WebSockets Security / Common WebSocket Weaknesses / Reverse Proxy Bypass using Upgrade Header

Link 337 3 months ago Mikhail Egorov's initial PoC from Hacktivity 2019:
Link 650 over 2 years ago Jake Miller's HTTP 2 smuggling tool based on Mikhail's PoC work:
Link AssetNote blog post with golang h2smuggler tool:

Awesome WebSockets Security / DOM-based WebSocket-URL poisoning

Link Portswigger summary:

Awesome WebSockets Security / Useful Blog Posts & Resources

Link Portscanning using WebSockets
Link WebSocket fuzzing with Kitty fuzzing framework
Link WebSocket fuzzing harness
Link Project Zero WebSockets-based buffer overflow
Link Reserved Extension, Subprotocol values

Awesome WebSockets Security / WebSocket Security Tools / Discovery, Fingerprinting, Vulnerability Detection

GitHub 334 almost 3 years ago STEWS

Awesome WebSockets Security / WebSocket Security Tools / Fuzzing

GitHub 144 about 6 years ago websocket-fuzzer
GitHub 18 about 5 years ago websocket-harness

Awesome WebSockets Security / WebSocket Security Tools / Playgrounds

GitHub 342 about 1 month ago DVWS: A purposefully vulnerable WebSocket demo
GitHub 28 about 3 years ago WebSocket-Playground: Jumpstart multiple WebSockets servers

Awesome WebSockets Security / WebSocket Security Tools / General Utilities & Tools

in-browser tool WebSocket King
in-browser tool Hoppscotch.io
GitHub 7,144 10 days ago websocat
GitHub 416 almost 7 years ago wsd

Awesome WebSockets Security / Bug Bounty Writeups / CSWSH bugs

Slack H1 #207170 : CSWSH (plus )
Facebook : CSWSH
Stripo H1 #915541 : CSWSH
Coda H1 #535436 : CSWSH
Legal Robot #211283 : CSWSH
Legal Robot H1 #274324 : CSWSH
Grammarly #395729 : CSWSH
Undisclosed target : CSWSH
Undisclosed target : CSWSH

Awesome WebSockets Security / Bug Bounty Writeups / Other bugs

PlayStation H1 #873614 : Remote code execution over WebSockets
Shopify H1 #409701 : SSRF over WebSockets
QIWI H1 #512065 : DOM XSS over WebSockets
NodeJS H1 #868834 : DoS because no timeout to close unresponsive connections
Bitwala H1 #862835 : Broken authentication
Shopify H1 #1023669 : Broken authentication
Legal Robot H1 #163464 : Information leak
GitHub H1 #854439 : Arbitrary SQL queries via injection
Undisclosed target : IDOR over WebSockets
Undisclosed target on BugCrowd : XSS over WebSockets

Backlinks from these awesome lists:

More related projects: