Discover the attack surface and prioritize risks with our continuous Attack Surface Management (ASM) platform - Sn1per Professional #pentest #redteam #bugbounty

Stars: ✭ 45 (-70.78%)

Mutual labels: penetration-testing, penetration-testing-tools

pentesting-notes

Notes from OSCP, CTF, security adventures, etc...

Stars: ✭ 38 (-75.32%)

Mutual labels: penetration-testing

Alfred

A friendly Toolkit for Beginner CTF players

Stars: ✭ 39 (-74.68%)

Mutual labels: penetration-testing

metagoofil

Search Google and download specific file types

Stars: ✭ 174 (+12.99%)

Mutual labels: penetration-testing

bitmex-client-websocket

🛠️ C# client for Bitmex websocket API

Stars: ✭ 60 (-61.04%)

Mutual labels: websockets

Offensive-Security-Cayuqueo

Scripts usados en mi formación de Offensive Security por medio de la suscripción Learn Unlimited

Stars: ✭ 14 (-90.91%)

Mutual labels: penetration-testing

showdown-battle-bot

Socket Battle Bot for Pokemon Showdown (http://pokemonshowdown.com/)

Stars: ✭ 19 (-87.66%)

Mutual labels: websockets

anycable-client

AnyCable / Action Cable JavaScript client for web, Node.js & React Native

Stars: ✭ 40 (-74.03%)

Mutual labels: websockets

View All Similar Projects ➔

STEWS: Security Testing and Enumeration of WebSockets

STEWS is a tool suite for security testing of WebSockets

This research was first presented at OWASP Global AppSec US 2021

Features

STEWS provides the ability to:

Discover: find WebSockets endpoints on the web by testing a list of domains
Fingerprint: determine what WebSockets server is running on the endpoint
Vulnerability Detection: test whether the WebSockets server is vulnerable to a known WebSockets vulnerability

The included whitepaper in this repository provides further details of the research undertaken. The included slide deck was presented at OWASP AppSec US 2021.

Complementary respositories created as part of this research include:

The Awesome WebSocket Security repository, which compiles WebSockets security information for future researchers
The WebSockets-Playground repository, which is a script to easily jump start multiple local WebSocket servers in parallel

Installation & Usage

Each portion of STEWS (discovery, fingerprinting, vulnerability detection) has separate instructions. Please see the README in each respective folder.

Why this tool?

WebSocket servers have been largely ignored in security circles. This is partially due to three hurdles that have not been clearly addressed for WebSocket endpoints:

Discovery
Enumeration/fingerprinting
Vulnerability detecting

STEWS attempts to address these three points. A custom tool was required because there is a distinct lack of support for manually configured WebSocket testing in current security testing tools:

There is a general lack of supported and scriptable WebSocket security testing tools (for example, NCC's unsupported wssip tool, nuclei's lack of WebSocket support, and nmap's lack of WebSocket support)
Burp Suite lacks support for WebSocket extensions (for example, see this PortSwigger forum thread and this one).
There is a lack of deeper WebSocket-specific security research (the Awesome WebSocket Security repository lists published WebSockets security research)
The proliferation of WebSockets around the modern web (as seen in the results of the STEWS discovery tool)

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

PalindromeLabs / STEWS

Programming Languages

Labels

Projects that are alternatives of or similar to STEWS

STEWS: Security Testing and Enumeration of WebSockets

Features

Installation & Usage

WebSocket Discovery

WebSocket Fingerprinting

WebSocket Vulnerability Detection

Why this tool?