Skip to content

epotseluevskaya/websocket_tools

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

WS-Pentest-Tools

WebSocket security testing tools for Socket.IO applications with JWT authentication.

Disclaimer

This code is provided as-is. It was developed with assistance from Claude and tested against specific JWT authentication flows encountered during engagements. Not all features have been fully tested — use at your own risk and verify behavior in your environment.

Installation

pip install websockets pycryptodomex termcolor requests

ws_jwt_tool.py

Fork of jwt_tool with WebSocket transport. All standard jwt_tool features work — only the transport layer changed.

WebSocket-Specific Options

Option Description
-w <url> WebSocket URL (instead of -t for HTTP)
--ws-template Auth message template (default: 42["auth","{token}"])
--ws-namespace Namespace connect message (default: 40, use 40{"token":"{token}"} for token-in-connect)
--ws-timeout Connection timeout (default: 10)
--ws-no-verify Disable SSL verification
--ws-verbose Verbose output
--ws-origin Custom Origin header
--ws-header Additional headers

Examples

# alg:none attack
python ws_jwt_tool.py -t eyJhbG... -w wss://target.com/socket.io/?EIO=4&transport=websocket -X a
 
# Key confusion
python ws_jwt_tool.py -t eyJhbG... -w wss://target.com/socket.io/?EIO=4&transport=websocket -X k -pk public.pem
 
# Crack secret
python ws_jwt_tool.py -t eyJhbG... -w wss://target.com/socket.io/?EIO=4&transport=websocket -C -d wordlist.txt
 
# Custom auth format
python ws_jwt_tool.py -t eyJhbG... -w wss://target.com/socket.io/?EIO=4&transport=websocket \
    --ws-template '42["login",{"jwt":"{token}"}]' -X a
 
# Token in namespace connect
python ws_jwt_tool.py -t eyJhbG... -w wss://target.com/socket.io/?EIO=4&transport=websocket \
    --ws-namespace '40{"token":"{token}"}' -M pb

For all JWT manipulation options, see jwt_tool documentation.


ws_test_unauth.py

Test endpoints without authentication.

python ws_test_unauth.py <requests_file> <url> [--delay 0.5] [--timeout 10]

Example

python ws_test_unauth.py requests.txt wss://target.com/socket.io/?EIO=4&transport=websocket

ws_test_auth.py

Test endpoints with JWT authentication. Auto-reconnects on connection drop.

python ws_test_auth.py <requests_file> <url> -t <token> [--delay 0.5] [--timeout 10] [--retries 3]

Authentication Flow

1. Connect to WebSocket
2. Receive: 0{"sid":"..."}
3. Send: 40{"token":"eyJ..."}
4. Receive: 40{"sid":"..."} or 44{...} (error)

Example

python ws_test_auth.py requests.txt wss://target.com/socket.io/?EIO=4&transport=websocket -t eyJhbG...

Request File Format

One Socket.IO message per line:

42["/user/profile",{"userId":"123"}]
42["/admin/users",{"pageIndex":0}]
42["/data/export",{"format":"csv"}]

Capture these from Burp.

Ruby on Rails Action Cable Tools

cable_probe.py

Connects to a Rails Action Cable endpoint without authentication and enumerates common channel names by sending subscribe commands. Reports which channels accepted, rejected, or ignored the subscription, with per-channel timeouts to skip non-existent channels automatically.

cable_listen.py

Subscribes to a list of confirmed channels (read from a file) over an unauthenticated WebSocket connection and logs all sent and received frames, producing copy-pasteable terminal output as evidence. Then listens for incoming messages on all channels.

About

Python scripts to test websockets

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages