WebSocket security testing tools for Socket.IO applications with JWT authentication.
This code is provided as-is. It was developed with assistance from Claude and tested against specific JWT authentication flows encountered during engagements. Not all features have been fully tested — use at your own risk and verify behavior in your environment.
pip install websockets pycryptodomex termcolor requestsFork of jwt_tool with WebSocket transport. All standard jwt_tool features work — only the transport layer changed.
| Option | Description |
|---|---|
-w <url> |
WebSocket URL (instead of -t for HTTP) |
--ws-template |
Auth message template (default: 42["auth","{token}"]) |
--ws-namespace |
Namespace connect message (default: 40, use 40{"token":"{token}"} for token-in-connect) |
--ws-timeout |
Connection timeout (default: 10) |
--ws-no-verify |
Disable SSL verification |
--ws-verbose |
Verbose output |
--ws-origin |
Custom Origin header |
--ws-header |
Additional headers |
# alg:none attack
python ws_jwt_tool.py -t eyJhbG... -w wss://target.com/socket.io/?EIO=4&transport=websocket -X a
# Key confusion
python ws_jwt_tool.py -t eyJhbG... -w wss://target.com/socket.io/?EIO=4&transport=websocket -X k -pk public.pem
# Crack secret
python ws_jwt_tool.py -t eyJhbG... -w wss://target.com/socket.io/?EIO=4&transport=websocket -C -d wordlist.txt
# Custom auth format
python ws_jwt_tool.py -t eyJhbG... -w wss://target.com/socket.io/?EIO=4&transport=websocket \
--ws-template '42["login",{"jwt":"{token}"}]' -X a
# Token in namespace connect
python ws_jwt_tool.py -t eyJhbG... -w wss://target.com/socket.io/?EIO=4&transport=websocket \
--ws-namespace '40{"token":"{token}"}' -M pbFor all JWT manipulation options, see jwt_tool documentation.
Test endpoints without authentication.
python ws_test_unauth.py <requests_file> <url> [--delay 0.5] [--timeout 10]python ws_test_unauth.py requests.txt wss://target.com/socket.io/?EIO=4&transport=websocketTest endpoints with JWT authentication. Auto-reconnects on connection drop.
python ws_test_auth.py <requests_file> <url> -t <token> [--delay 0.5] [--timeout 10] [--retries 3]1. Connect to WebSocket
2. Receive: 0{"sid":"..."}
3. Send: 40{"token":"eyJ..."}
4. Receive: 40{"sid":"..."} or 44{...} (error)
python ws_test_auth.py requests.txt wss://target.com/socket.io/?EIO=4&transport=websocket -t eyJhbG...One Socket.IO message per line:
42["/user/profile",{"userId":"123"}]
42["/admin/users",{"pageIndex":0}]
42["/data/export",{"format":"csv"}]
Capture these from Burp.
Connects to a Rails Action Cable endpoint without authentication and enumerates common channel names by sending subscribe commands. Reports which channels accepted, rejected, or ignored the subscription, with per-channel timeouts to skip non-existent channels automatically.
Subscribes to a list of confirmed channels (read from a file) over an unauthenticated WebSocket connection and logs all sent and received frames, producing copy-pasteable terminal output as evidence. Then listens for incoming messages on all channels.