awesome-websocket-security
WebSocket security info
A collection of resources and research on vulnerabilities and security best practices for WebSockets
Awesome information for WebSockets security research
252 stars
12 watching
25 forks
last commit: almost 3 years ago
Linked from 1 awesome list
securitysecurity-toolsweb-application-securitywebsocketwebsocket-securitywebsocketswebsockets-security
Awesome WebSockets Security / WebSocket Library Vulnerabilities | |||
CVE-2021-42340 | |||
Tomcat | 17,416 | 8 days ago | |
Apache mailing list | |||
CVE-2021-33880 | |||
Python websockets | 5,232 | 6 days ago | |
GitHub Advisory | |||
CVE-2021-32640 | |||
ws | 21,752 | 28 days ago | |
GitHub Advisory | 21,752 | 28 days ago | |
CVE-2020-36406 | |||
uWebSockets | 17,416 | 8 days ago | |
OSS Fuzz Summary | 133 | 6 days ago | |
CVE-2020-27813 | |||
Gorilla | 22,445 | 3 months ago | |
GitHub Advisory | 22,445 | 3 months ago | |
CVE-2020-24807 | |||
socket.io-file | 48 | about 5 years ago | |
Auxilium Security | |||
CVE-2020-15779 | |||
socket.io-file | 48 | about 5 years ago | |
Auxilium Security | |||
CVE-2020-15134 | |||
faye-websocket | 1,038 | about 1 year ago | |
GitHub advisory | 4,391 | 5 months ago | |
CVE-2020-15133 | |||
faye-websocket | 1,038 | about 1 year ago | |
GitHub advisory | 1,038 | about 1 year ago | |
CVE-2020-11050 | |||
Java WebSocket | |||
GitHub advisory | 10,530 | 9 days ago | |
CVE-2020-7663 | |||
Ruby websocket-extensions | |||
Writeup | |||
CVE-2020-7662 | |||
npm websocket-extensions | |||
Writeup | |||
Socket.io | 61,208 | 30 days ago | |
GitHub Issue | 61,208 | 30 days ago | |
CVE-2018-1000518 | |||
Python websockets | 5,232 | 6 days ago | |
GitHub PR | 5,232 | 6 days ago | |
Tornado | 21,748 | 24 days ago | |
GitHub PR | 21,748 | 24 days ago | |
CVE-2018-21035 | |||
Qt WebSockets | |||
Bug report | |||
CVE-2017-16031 | |||
socket.io | |||
GitHub Issue | 61,208 | 30 days ago | |
CVE-2016-10544 | |||
uWebSockets | 17,416 | 8 days ago | |
npm advisory | |||
CVE-2016-10542 | |||
NodeJS ws | |||
npm advisory | |||
draft-hixie-thewebsocketprotocol-76 | |||
Writeup | |||
Awesome WebSockets Security / 2011 | |||
Paper | Talking to Yourself for Fun and Profit | ||
Awesome WebSockets Security / 2011 / 2012 | |||
Video | Blackhat 2012 - Mike Shema, Sergey Shekyan, Vaagn Toukharian - Hacking with WebSockets | ||
Awesome WebSockets Security / 2011 / 2019 | |||
Video | Hacktivity 2019 - Mikhail Egorov - What’s Wrong with WebSocket APIs? Unveiling Vulnerabilities in WebSocket APIs | ||
Video | DerbyCon 2019 - Michael Fowl, Nick Defoe - Old Tools New Tricks Hacking WebSockets | ||
Awesome WebSockets Security / 2011 / 2021 | |||
Tool | 334 | almost 3 years ago | OWASP Global AppSec US 2021 - Erik Elbieh - We’re not in HTTP anymore: Investigating WebSocket Server Security |
Awesome WebSockets Security / Common WebSocket Weaknesses / Unencrypted WebSockets | |||
Link | Black Hills WebSocket testing guide: | ||
Awesome WebSockets Security / Common WebSocket Weaknesses / Cross-Site WebSocket Hijacking (CSWSH) | |||
Link | Original CSWSH blog post by Christian Schneider: | ||
Link | PortSwigger Web Academy CSWSH lab: | ||
Awesome WebSockets Security / Common WebSocket Weaknesses / Insecure Authentication Mechanism | |||
Link | Stratum Security blog post: | ||
Link | Heroku WebSocket Security: | ||
Awesome WebSockets Security / Common WebSocket Weaknesses / Reverse Proxy Bypass using Upgrade Header | |||
Link | 337 | 3 months ago | Mikhail Egorov's initial PoC from Hacktivity 2019: |
Link | 650 | over 2 years ago | Jake Miller's HTTP 2 smuggling tool based on Mikhail's PoC work: |
Link | AssetNote blog post with golang h2smuggler tool: | ||
Awesome WebSockets Security / DOM-based WebSocket-URL poisoning | |||
Link | Portswigger summary: | ||
Awesome WebSockets Security / Useful Blog Posts & Resources | |||
Link | Portscanning using WebSockets | ||
Link | WebSocket fuzzing with Kitty fuzzing framework | ||
Link | WebSocket fuzzing harness | ||
Link | Project Zero WebSockets-based buffer overflow | ||
Link | Reserved Extension, Subprotocol values | ||
Awesome WebSockets Security / WebSocket Security Tools / Discovery, Fingerprinting, Vulnerability Detection | |||
GitHub | 334 | almost 3 years ago | STEWS |
Awesome WebSockets Security / WebSocket Security Tools / Fuzzing | |||
GitHub | 144 | about 6 years ago | websocket-fuzzer |
GitHub | 18 | about 5 years ago | websocket-harness |
Awesome WebSockets Security / WebSocket Security Tools / Playgrounds | |||
GitHub | 342 | about 1 month ago | DVWS: A purposefully vulnerable WebSocket demo |
GitHub | 28 | about 3 years ago | WebSocket-Playground: Jumpstart multiple WebSockets servers |
Awesome WebSockets Security / WebSocket Security Tools / General Utilities & Tools | |||
in-browser tool | WebSocket King | ||
in-browser tool | Hoppscotch.io | ||
GitHub | 7,144 | 10 days ago | websocat |
GitHub | 416 | almost 7 years ago | wsd |
Awesome WebSockets Security / Bug Bounty Writeups / CSWSH bugs | |||
Slack H1 #207170 | : CSWSH (plus ) | ||
: CSWSH | |||
Stripo H1 #915541 | : CSWSH | ||
Coda H1 #535436 | : CSWSH | ||
Legal Robot #211283 | : CSWSH | ||
Legal Robot H1 #274324 | : CSWSH | ||
Grammarly #395729 | : CSWSH | ||
Undisclosed target | : CSWSH | ||
Undisclosed target | : CSWSH | ||
Awesome WebSockets Security / Bug Bounty Writeups / Other bugs | |||
PlayStation H1 #873614 | : Remote code execution over WebSockets | ||
Shopify H1 #409701 | : SSRF over WebSockets | ||
QIWI H1 #512065 | : DOM XSS over WebSockets | ||
NodeJS H1 #868834 | : DoS because no timeout to close unresponsive connections | ||
Bitwala H1 #862835 | : Broken authentication | ||
Shopify H1 #1023669 | : Broken authentication | ||
Legal Robot H1 #163464 | : Information leak | ||
GitHub H1 #854439 | : Arbitrary SQL queries via injection | ||
Undisclosed target | : IDOR over WebSockets | ||
Undisclosed target on BugCrowd | : XSS over WebSockets |