Awesome WebSockets Security
A collection of CVEs, research, and reference materials related to WebSocket security
Contents
- WebSocket Library Vulnerabilities
- Conference Talks
- Common WebSocket Weaknesses
- WebSocket Security Tools
- Bug Bounty Writeups
- Useful blog posts
WebSocket Library Vulnerabilities
This list of vulnerabilities attempts to capture WebSocket CVEs and related issues in commonly encountered WebSockets server implementations.
| CVE ID | Vulnerable package | Related writeup | Vulnerability summary |
|---|---|---|---|
| CVE-2021-42340 | Tomcat | Apache mailing list | DoS memory leak |
| CVE-2021-33880 | Python websockets | GitHub Advisory | HTTP basic auth timing attack |
| CVE-2021-32640 | ws | GitHub Advisory | Regex backtracking Denial of Service |
| CVE-2020-36406 | uWebSockets | OSS Fuzz Summary | Stack buffer overflow |
| CVE-2020-27813 | Gorilla | GitHub Advisory | Integer overflow |
| CVE-2020-24807 | socket.io-file | Auxilium Security | File type restriction bypass |
| CVE-2020-15779 | socket.io-file | Auxilium Security | Path traversal |
| CVE-2020-15134 | faye-websocket | GitHub advisory | Lack of TLS certificate validation |
| CVE-2020-15133 | faye-websocket | GitHub advisory | Lack of TLS certificate validation |
| CVE-2020-11050 | Java WebSocket | GitHub advisory | SSL hostname validation not performed |
| CVE-2020-7663 | Ruby websocket-extensions | Writeup | Regex backtracking Denial of Service |
| CVE-2020-7662 | npm websocket-extensions | Writeup | Regex backtracking Denial of Service |
| None | Socket.io | GitHub Issue | CORS misconfiguration |
| CVE-2018-1000518 | Python websockets | GitHub PR | DoS via memory exhaustion when decompressing compressed data |
| None | Tornado | GitHub PR | DoS via memory exhaustion when decompressing compressed data |
| CVE-2018-21035 | Qt WebSockets | Bug report | Denial of service due large limit on message and frame size |
| CVE-2017-16031 | socket.io | GitHub Issue | Socket IDs use predictable random numbers |
| CVE-2016-10544 | uWebSockets | npm advisory | Denial of service due to large limit on message size |
| CVE-2016-10542 | NodeJS ws | npm advisory | Denial of service due to large limit on message size |
| None | draft-hixie-thewebsocketprotocol-76 | Writeup |
Conference Talks, Papers, Notable Blog Posts
2011
- Talking to Yourself for Fun and Profit Paper
2012
- Blackhat 2012 - Mike Shema, Sergey Shekyan, Vaagn Toukharian - Hacking with WebSockets Video
2019
- Hacktivity 2019 - Mikhail Egorov - Whatโs Wrong with WebSocket APIs? Unveiling Vulnerabilities in WebSocket APIs Video
- DerbyCon 2019 - Michael Fowl, Nick Defoe - Old Tools New Tricks Hacking WebSockets Video
2021
- OWASP Global AppSec US 2021 - Erik Elbieh - Weโre not in HTTP anymore: Investigating WebSocket Server Security Tool Paper Video
Common WebSocket Weaknesses
Unencrypted WebSockets
- Black Hills WebSocket testing guide: Link
Cross-Site WebSocket Hijacking (CSWSH)
Insecure Authentication Mechanism
Reverse Proxy Bypass using Upgrade Header
- Mikhail Egorov's initial PoC from Hacktivity 2019: Link
- Jake Miller's HTTP 2 smuggling tool based on Mikhail's PoC work: Link
- AssetNote blog post with golang h2smuggler tool: Link
DOM-based WebSocket-URL poisoning
- Portswigger summary: Link
Useful Blog Posts & Resources
- Portscanning using WebSockets Link
- WebSocket fuzzing with Kitty fuzzing framework Link
- WebSocket fuzzing harness Link
- Project Zero WebSockets-based buffer overflow Link
- Reserved Extension, Subprotocol values Link
WebSocket Security Tools
Discovery, Fingerprinting, Vulnerability Detection
- STEWS GitHub
Fuzzing
Playgrounds
- DVWS: A purposefully vulnerable WebSocket demo GitHub
- WebSocket-Playground: Jumpstart multiple WebSockets servers GitHub
General Utilities & Tools
- WebSocket King in-browser tool
- Hoppscotch.io in-browser tool
- websocat GitHub
- wsd GitHub
Bug Bounty Writeups
CSWSH bugs
- Slack H1 #207170: CSWSH (plus an additional writeup)
- Facebook: CSWSH
- Stripo H1 #915541: CSWSH
- Coda H1 #535436: CSWSH
- Legal Robot #211283: CSWSH
- Legal Robot H1 #274324: CSWSH
- Grammarly #395729: CSWSH
- Undisclosed target: CSWSH
- Undisclosed target: CSWSH
Other bugs
- PlayStation H1 #873614: Remote code execution over WebSockets
- Shopify H1 #409701: SSRF over WebSockets
- QIWI H1 #512065: DOM XSS over WebSockets
- NodeJS H1 #868834: DoS because no timeout to close unresponsive connections
- Bitwala H1 #862835: Broken authentication
- Shopify H1 #1023669: Broken authentication
- Legal Robot H1 #163464: Information leak
- GitHub H1 #854439: Arbitrary SQL queries via injection
- Undisclosed target: IDOR over WebSockets
- Undisclosed target on BugCrowd: XSS over WebSockets