Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Python tool for testing vulnerabilities in WebSockets / Socket.IO servers http://blog.kotowicz.net/2011/03/html…
Fetching latest commit…
Cannot retrieve the latest commit at this time.
|Failed to load latest commit information.|
A simple malicious Socket.IO client as a Python script. http://blog.kotowicz.net/2011/03/html5-websockets-security-new-tool-for.html It can: - Handshake with a Socket.io server - Ignore all Origin restrictions - Transparently handle all socket.io heartbeats - Send arbitrary messages - from a prompt or an input file. Messages could be raw or properly formatted according to socket.io protocol - Receive/log all server messages I also included a few exemplary payloads which can crash servers I encountered. You can test the client against my vulnerable chat application (try XSS). 1. Connect (with Chrome or other browser supporting websockets) to http://vuln.nodester.com/chat.html 2. Run the command line client ./socket_io_client.py vuln.nodester.com 80 3. Start conversation 4. Try to inject XSS from the command line client You could also use my prepared payloads like so: ./socket_io_client.py vuln.nodester.com 80 < payloads.txt Or save all server reponses like so: ./socket_io_client.py vuln.nodester.com 80 > output.txt