Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: master
Fetching contributors…

Cannot retrieve contributors at this time

30 lines (21 sloc) 1.061 kb
A simple malicious Socket.IO client as a Python script.
It can:
- Handshake with a server
- Ignore all Origin restrictions
- Transparently handle all heartbeats
- Send arbitrary messages - from a prompt or an input file. Messages could be raw or
properly formatted according to protocol
- Receive/log all server messages
I also included a few exemplary payloads which can crash servers I encountered.
You can test the client against my vulnerable chat application (try XSS).
1. Connect (with Chrome or other browser supporting websockets) to
2. Run the command line client
./ 80
3. Start conversation
4. Try to inject XSS from the command line client
You could also use my prepared payloads like so:
./ 80 < payloads.txt
Or save all server reponses like so:
./ 80 > output.txt
Jump to Line
Something went wrong with that request. Please try again.