-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathREADME
29 lines (21 loc) · 1.04 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
A simple malicious Socket.IO client as a Python script.
http://blog.kotowicz.net/2011/03/html5-websockets-security-new-tool-for.html
It can:
- Handshake with a Socket.io server
- Ignore all Origin restrictions
- Transparently handle all socket.io heartbeats
- Send arbitrary messages - from a prompt or an input file. Messages could be raw or
properly formatted according to socket.io protocol
- Receive/log all server messages
I also included a few exemplary payloads which can crash servers I encountered.
You can test the client against my vulnerable chat application (try XSS).
1. Connect (with Chrome or other browser supporting websockets) to
http://vuln.nodester.com/chat.html
2. Run the command line client
./socket_io_client.py vuln.nodester.com 80
3. Start conversation
4. Try to inject XSS from the command line client
You could also use my prepared payloads like so:
./socket_io_client.py vuln.nodester.com 80 < payloads.txt
Or save all server reponses like so:
./socket_io_client.py vuln.nodester.com 80 > output.txt