Python tool for testing vulnerabilities in WebSockets / Socket.IO servers
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
.gitignore
README
WebSocketsClient.py
colorize.py
handshake.bin
payloads.txt
socket_io_client.py

README

A simple malicious Socket.IO client as a Python script. 

http://blog.kotowicz.net/2011/03/html5-websockets-security-new-tool-for.html

It can:
 - Handshake with a Socket.io server
 - Ignore all Origin restrictions
 - Transparently handle all socket.io heartbeats
 - Send arbitrary messages - from a prompt or an input file. Messages could be raw or
   properly formatted according to socket.io protocol
 - Receive/log all server messages

I also included a few exemplary payloads which can crash servers I encountered. 
You can test the client against my vulnerable chat application (try XSS).

1. Connect (with Chrome or other browser supporting websockets) to 
   http://vuln.nodester.com/chat.html
2. Run the command line client
   ./socket_io_client.py vuln.nodester.com 80
3. Start conversation
4. Try to inject XSS from the command line client

You could also use my prepared payloads like so:

   ./socket_io_client.py vuln.nodester.com 80 < payloads.txt

Or save all server reponses like so:
   ./socket_io_client.py vuln.nodester.com 80 > output.txt