#!/bin/bash # WebSocket/WebTransport security tests SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" source "$SCRIPT_DIR/../config.sh" OUT="$OUT/websocket" mkdir -p "$OUT" echo '=== WEBSOCKET SECURITY TESTS ===' | tee "$OUT/summary.txt" url_encode() { printf '%s' "$1" | python3 -c "import sys,urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip()))"; } # Cross-origin WebSocket hijack attempt echo '--- WS Cross-Origin ---' | tee -a "$OUT/summary.txt" resp=$(curl -sk -o "$OUT/ws_upgrade.txt" -w '%{http_code}' --max-time 10 \ -H 'Upgrade: websocket' \ -H 'Connection: Upgrade' \ -H 'Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==' \ -H 'Sec-WebSocket-Version: 13' \ -H 'Origin: https://evil.com' \ "$TARGET/") echo "[$resp] WS upgrade from evil.com origin" | tee -a "$OUT/summary.txt" head -5 "$OUT/ws_upgrade.txt" | tee -a "$OUT/summary.txt" # Same with no origin resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 \ -H 'Upgrade: websocket' \ -H 'Connection: Upgrade' \ -H 'Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==' \ -H 'Sec-WebSocket-Version: 13' \ "$TARGET/") echo "[$resp] WS upgrade no origin" | tee -a "$OUT/summary.txt" # Speedtest WebTransport endpoint echo '' | tee -a "$OUT/summary.txt" echo '--- WebTransport/QUIC Speedtest Endpoint ---' | tee -a "$OUT/summary.txt" resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 "https://${API_HOST}:${QUIC_PORT}/speedtest") if [ "$resp" = "000" ]; then echo "[000] QUIC speedtest endpoint (EXPECTED — QUIC/UDP; curl uses TCP, 000 = correct rejection)" | tee -a "$OUT/summary.txt" else echo "[$resp] QUIC speedtest endpoint" | tee -a "$OUT/summary.txt" fi # WebSocket with SQL injection in path — properly URL-encoded echo '' | tee -a "$OUT/summary.txt" echo '--- WS Path Injection ---' | tee -a "$OUT/summary.txt" encoded=$(url_encode "1' OR 1=1--") resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 \ -H 'Upgrade: websocket' -H 'Connection: Upgrade' \ -H 'Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==' \ -H 'Sec-WebSocket-Version: 13' \ "$TARGET/ws/?room=$encoded") echo "[$resp] WS path SQLi" | tee -a "$OUT/summary.txt" cat "$OUT/summary.txt" # ── WebSocket Auth Bypass ───────────────────────────────────────────────────── echo "" | tee -a "$OUT/websocket/summary.txt" echo '--- WS Authentication Bypass ---' | tee -a "$OUT/websocket/summary.txt" # Unauthenticated WS upgrade (no token) resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 \ -H 'Upgrade: websocket' -H 'Connection: Upgrade' \ -H 'Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==' \ -H 'Sec-WebSocket-Version: 13' \ "$TARGET/ws/") echo "[$resp] WS upgrade — no auth token (should be 401/403)" | tee -a "$OUT/websocket/summary.txt" # WS upgrade with invalid/expired token resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 \ -H 'Upgrade: websocket' -H 'Connection: Upgrade' \ -H 'Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==' \ -H 'Sec-WebSocket-Version: 13' \ -H 'Authorization: Bearer INVALID_EXPIRED_TOKEN_XYZ' \ "$TARGET/ws/") echo "[$resp] WS upgrade — invalid Bearer token" | tee -a "$OUT/websocket/summary.txt" # WS upgrade with token in query string (token leakage risk) resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 \ -H 'Upgrade: websocket' -H 'Connection: Upgrade' \ -H 'Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==' \ -H 'Sec-WebSocket-Version: 13' \ "$TARGET/ws/?token=INVALID_TOKEN") echo "[$resp] WS upgrade — token in query string" | tee -a "$OUT/websocket/summary.txt" # WS upgrade downgrade — try to open WS then send HTTP request over same conn resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 \ -H 'Upgrade: websocket' -H 'Connection: Upgrade' \ -H 'Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==' \ -H 'Sec-WebSocket-Version: 13' \ -H 'Sec-WebSocket-Protocol: chat, superchat' \ "$TARGET/admin/") echo "[$resp] WS upgrade against /admin/ (auth bypass attempt)" | tee -a "$OUT/websocket/summary.txt" # HTTP/2 WebSocket (RFC 8441) resp=$(curl -sk --http2 -o /dev/null -w '%{http_code}' --max-time 10 \ -H 'Upgrade: websocket' \ -H 'Connection: Upgrade' \ -H 'Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==' \ -H 'Sec-WebSocket-Version: 13' \ "$TARGET/ws/") echo "[$resp] HTTP/2 WS upgrade (RFC 8441)" | tee -a "$OUT/websocket/summary.txt" cat "$OUT/websocket/summary.txt"