WS-Vulnerability Detection

The tool currently supports tests for vulnerabilities including:

CSWSH (Cross-Site WebSocket Hijacking)
CVE-2020-27813 (Gorilla DoS Integer Overflow)
CVE-2020-7662 & CVE-2020-7663 (FAYE Sec-WebSocket-Extensions Regex DoS)
CVE-2021-32640 (ws Sec-Websocket-Protocol Regex DoS)

Basic Usage

First, make sure you have the necessary Python 3 dependencies installed using:

pip3 install -r requirements.txt

Then if you run:

python3 STEWS-vuln-detect.py -h

you will be greeted by the following options:

usage: STEWS-vuln-detect.py [-h] [-v] [-d] [-u URL] [-f FILE] [-n] [-k] [-o ORIGIN] [-1] [-2] [-3] [-4]

Security Testing and Enumeration of WebSockets (STEWS) Vulnerability Detection Tool

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Enable verbose tracing of communications
  -d, --debug           Print each test case to track progress while running
  -u URL, --url URL     URL to connect to
  -f FILE, --file FILE  File containing URLs to check for valid WebSocket connections
  -n, --no-encryption   Connect using ws://, not wss:// (default is wss://)
  -k, --nocert          Ignore invalid SSL cert
  -o ORIGIN, --origin ORIGIN
                        Set origin
  -1                    Test for generic Cross-site WebSocket Hijacking (CSWSH)
  -2                    Test CVE-2021-32640 - ws Sec-Websocket-Protocol Regex DoS
  -3                    Test CVE-2020-7662 & 7663 - faye Sec-WebSocket-Extensions Regex DoS
  -4                    Test CVE-2020-27813 - Gorilla DoS Integer Overflow

Test 1 provides a generic CSWSH test. This can be used in combination with the -o flag to specify a specific origin to attempt to bypass any server-side checks.

Tests 2, 3, and 4 check for specific CVEs. The test cases for these were created based on the PoC code published as part of the discovery of these CVEs. For example, to run test 4 on a local server on port 8084, you can run: python3 STEWS-vuln-detect.py -4 -n -u 127.0.0.1:8084

CSWSH bugs:

Slack H1 #207170: CSWSH (plus an additional writeup)
Facebook: CSWSH
Stripo H1 #915541: CSWSH
Coda H1 #535436: CSWSH
Legal Robot #211283: CSWSH
Legal Robot H1 #274324: CSWSH
Grammarly #395729: CSWSH
Undisclosed target: CSWSH
Undisclosed target: CSWSH

Other bugs:

PlayStation H1 #873614: Remote code execution over WebSockets
Shopify H1 #409701: SSRF over WebSockets
QIWI H1 #512065: DOM XSS over WebSockets
NodeJS H1 #868834: DoS because no timeout to close unresponsive connections
Bitwala H1 #862835: Broken authentication
Shopify H1 #1023669: Broken authentication
Legal Robot H1 #163464: Information leak
GitHub H1 #854439: Arbitrary SQL queries via injection
Undisclosed target: IDOR over WebSockets
Undisclosed target on BugCrowd: XSS over WebSockets

PreviousWebSocket Attacks NextWebSocket to HTTP-Translation

Last updated 1 year ago