| 1 | #!/bin/bash |
| 2 | # WebSocket/WebTransport security tests |
| 3 | SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" |
| 4 | source "$SCRIPT_DIR/../config.sh" |
| 5 | OUT="$OUT/websocket" |
| 6 | mkdir -p "$OUT" |
| 7 | |
| 8 | echo '=== WEBSOCKET SECURITY TESTS ===' | tee "$OUT/summary.txt" |
| 9 | |
| 10 | url_encode() { printf '%s' "$1" | python3 -c "import sys,urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip()))"; } |
| 11 | |
| 12 | # Cross-origin WebSocket hijack attempt |
| 13 | echo '--- WS Cross-Origin ---' | tee -a "$OUT/summary.txt" |
| 14 | resp=$(curl -sk -o "$OUT/ws_upgrade.txt" -w '%{http_code}' --max-time 10 \ |
| 15 | -H 'Upgrade: websocket' \ |
| 16 | -H 'Connection: Upgrade' \ |
| 17 | -H 'Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==' \ |
| 18 | -H 'Sec-WebSocket-Version: 13' \ |
| 19 | -H 'Origin: https://evil.com' \ |
| 20 | "$TARGET/") |
| 21 | echo "[$resp] WS upgrade from evil.com origin" | tee -a "$OUT/summary.txt" |
| 22 | head -5 "$OUT/ws_upgrade.txt" | tee -a "$OUT/summary.txt" |
| 23 | |
| 24 | # Same with no origin |
| 25 | resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 \ |
| 26 | -H 'Upgrade: websocket' \ |
| 27 | -H 'Connection: Upgrade' \ |
| 28 | -H 'Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==' \ |
| 29 | -H 'Sec-WebSocket-Version: 13' \ |
| 30 | "$TARGET/") |
| 31 | echo "[$resp] WS upgrade no origin" | tee -a "$OUT/summary.txt" |
| 32 | |
| 33 | # Speedtest WebTransport endpoint |
| 34 | echo '' | tee -a "$OUT/summary.txt" |
| 35 | echo '--- WebTransport/QUIC Speedtest Endpoint ---' | tee -a "$OUT/summary.txt" |
| 36 | resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 "https://${API_HOST}:${QUIC_PORT}/speedtest") |
| 37 | if [ "$resp" = "000" ]; then |
| 38 | echo "[000] QUIC speedtest endpoint (EXPECTED โ QUIC/UDP; curl uses TCP, 000 = correct rejection)" | tee -a "$OUT/summary.txt" |
| 39 | else |
| 40 | echo "[$resp] QUIC speedtest endpoint" | tee -a "$OUT/summary.txt" |
| 41 | fi |
| 42 | |
| 43 | # WebSocket with SQL injection in path โ properly URL-encoded |
| 44 | echo '' | tee -a "$OUT/summary.txt" |
| 45 | echo '--- WS Path Injection ---' | tee -a "$OUT/summary.txt" |
| 46 | encoded=$(url_encode "1' OR 1=1--") |
| 47 | resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 \ |
| 48 | -H 'Upgrade: websocket' -H 'Connection: Upgrade' \ |
| 49 | -H 'Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==' \ |
| 50 | -H 'Sec-WebSocket-Version: 13' \ |
| 51 | "$TARGET/ws/?room=$encoded") |
| 52 | echo "[$resp] WS path SQLi" | tee -a "$OUT/summary.txt" |
| 53 | |
| 54 | cat "$OUT/summary.txt" |
| 55 | |
| 56 | # โโ WebSocket Auth Bypass โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ |
| 57 | echo "" | tee -a "$OUT/websocket/summary.txt" |
| 58 | echo '--- WS Authentication Bypass ---' | tee -a "$OUT/websocket/summary.txt" |
| 59 | |
| 60 | # Unauthenticated WS upgrade (no token) |
| 61 | resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 \ |
| 62 | -H 'Upgrade: websocket' -H 'Connection: Upgrade' \ |
| 63 | -H 'Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==' \ |
| 64 | -H 'Sec-WebSocket-Version: 13' \ |
| 65 | "$TARGET/ws/") |
| 66 | echo "[$resp] WS upgrade โ no auth token (should be 401/403)" | tee -a "$OUT/websocket/summary.txt" |
| 67 | |
| 68 | # WS upgrade with invalid/expired token |
| 69 | resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 \ |
| 70 | -H 'Upgrade: websocket' -H 'Connection: Upgrade' \ |
| 71 | -H 'Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==' \ |
| 72 | -H 'Sec-WebSocket-Version: 13' \ |
| 73 | -H 'Authorization: Bearer INVALID_EXPIRED_TOKEN_XYZ' \ |
| 74 | "$TARGET/ws/") |
| 75 | echo "[$resp] WS upgrade โ invalid Bearer token" | tee -a "$OUT/websocket/summary.txt" |
| 76 | |
| 77 | # WS upgrade with token in query string (token leakage risk) |
| 78 | resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 \ |
| 79 | -H 'Upgrade: websocket' -H 'Connection: Upgrade' \ |
| 80 | -H 'Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==' \ |
| 81 | -H 'Sec-WebSocket-Version: 13' \ |
| 82 | "$TARGET/ws/?token=INVALID_TOKEN") |
| 83 | echo "[$resp] WS upgrade โ token in query string" | tee -a "$OUT/websocket/summary.txt" |
| 84 | |
| 85 | # WS upgrade downgrade โ try to open WS then send HTTP request over same conn |
| 86 | resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 \ |
| 87 | -H 'Upgrade: websocket' -H 'Connection: Upgrade' \ |
| 88 | -H 'Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==' \ |
| 89 | -H 'Sec-WebSocket-Version: 13' \ |
| 90 | -H 'Sec-WebSocket-Protocol: chat, superchat' \ |
| 91 | "$TARGET/admin/") |
| 92 | echo "[$resp] WS upgrade against /admin/ (auth bypass attempt)" | tee -a "$OUT/websocket/summary.txt" |
| 93 | |
| 94 | # HTTP/2 WebSocket (RFC 8441) |
| 95 | resp=$(curl -sk --http2 -o /dev/null -w '%{http_code}' --max-time 10 \ |
| 96 | -H 'Upgrade: websocket' \ |
| 97 | -H 'Connection: Upgrade' \ |
| 98 | -H 'Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==' \ |
| 99 | -H 'Sec-WebSocket-Version: 13' \ |
| 100 | "$TARGET/ws/") |
| 101 | echo "[$resp] HTTP/2 WS upgrade (RFC 8441)" | tee -a "$OUT/websocket/summary.txt" |
| 102 | |
| 103 | cat "$OUT/websocket/summary.txt" |
| 104 |
Script Viewer
Red Team Suite › 13_websocket.sh