Tools & Prevention

After understanding how to test, analyze, and exploit WebSockets, let us discuss tools that automate much of the manual work. Moreover, we will learn about defensive techniques to prevent WebSocket vulnerabilities.

---

Tools - Interacting with WebSockets

websocat

Command-line tool for WebSocket connections (like netcat for WebSockets).

Installation:

# Download precompiled binary
wget https://github.com/vi/websocat/releases/download/v1.11.0/websocat_max.x86_64-unknown-linux-musl
chmod +x websocat_max.x86_64-unknown-linux-musl

Usage:

./websocat_max.x86_64-unknown-linux-musl ws://172.17.0.2/echo

Hello EchoServer! 
Hello EchoServer!

Advanced options:

websocat --help=long

wscat

Alternative command-line WebSocket tool. Install via npm:

npm install -g wscat
wscat -c ws://172.17.0.2/echo

---

Tools - Vulnerability Detection

STEWS (Security Testing and Enumeration of WebSockets)

Tool suite for fingerprinting WebSocket libraries and testing for CSWH vulnerabilities.

Repository: Contains fingerprint and vuln-detect modules.

---

Fingerprinting Module

Installation:

cd fingerprint
pip3 install -r requirements.txt

Usage:

python3 STEWS-fingerprint.py -h

Options:

Flag	Description
-u URL	Target URL (without scheme)
-n	Use ws:// instead of wss://
-a	Run all tests
-1 through -7	Run specific test series
-k	Ignore invalid SSL cert
-o ORIGIN	Set custom origin

Example - Series 5 Tests:

python3 STEWS-fingerprint.py -u websockets.htb/messages -n -5

=======================================================
>>>Most likely server: Faye, Gorilla, Java Spring boot, Python websockets, Python Tornado -- % match: 100.0
>>>Second most likely server: NodeJS ws, uWebSockets, Ratchet -- % match: 0.0
=======================================================

Note: Unknown libraries may produce inconsistent results across different test series.

---

Vulnerability Detection Module

Installation:

cd vuln-detect
pip3 install -r requirements.txt

Usage:

python3 STEWS-vuln-detect.py -h

Test Options:

Flag	Description
-1	Test for generic CSWSH
-2	Test CVE-2021-32640 (ws Regex DoS)
-3	Test CVE-2020-7662/7663 (faye Regex DoS)
-4	Test CVE-2020-27813 (Gorilla DoS Integer Overflow)

Example - CSWH Detection:

python3 STEWS-vuln-detect.py -n -u websockets.htb/messages -1

Testing ws://websockets.htb/messages
>>>Note: ws://websockets.htb/messages allowed http or https for origin
>>>Note: ws://websockets.htb/messages allowed null origin
>>>Note: ws://websockets.htb/messages allowed unusual char (possible parse error)
>>>VANILLA CSWSH DETECTED: ws://websockets.htb/messages likely vulnerable to vanilla CSWSH (any origin)

Debug mode (show requests):

python3 STEWS-vuln-detect.py -n -u websockets.htb/messages -1 -d

---

Prevention

CSWH Prevention

Method	Description
Check Origin header	Validate Origin matches expected domain
CSRF tokens	Require token in WebSocket handshake
SameSite cookie flag	Set to Strict or Lax

General WebSocket Security

Practice	Description
Use wss:// over ws://	TLS encryption for all WebSocket traffic
Sanitize all input	Treat data from both directions as untrusted
SQL injection prevention	Use prepared statements for WS data in queries
XSS prevention	Sanitize before inserting into DOM
Server-side validation	Don't trust client data
Client-side validation	Don't trust server data

---

Summary

┌─────────────────────────────────────────────────────────────────────────┐
│                    WebSocket Security Checklist                         │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                         │
│  Transport Security:                                                   │
│  □ Use wss:// (not ws://)                                              │
│  □ Valid TLS certificate                                               │
│                                                                         │
│  CSWH Prevention:                                                      │
│  □ Validate Origin header                                              │
│  □ Implement CSRF tokens                                               │
│  □ Set SameSite=Strict or Lax on session cookies                       │
│                                                                         │
│  Input Sanitization:                                                   │
│  □ Server: sanitize all client data                                    │
│  □ Client: sanitize all server data                                    │
│  □ Use prepared statements for SQL                                     │
│  □ Encode output for XSS prevention                                    │
│                                                                         │
│  Testing:                                                              │
│  □ Test with websocat/wscat                                            │
│  □ Fingerprint with STEWS                                              │
│  □ Check for CSWH with STEWS vuln-detect                               │
│  □ Manual Burp testing                                                 │
│                                                                         │
└─────────────────────────────────────────────────────────────────────────┘

Resources

• WebSocket Security GitHub Repository

• websocat releases