Vulnerable web sockets application for training

I think this is what you are looking for: Analysing, Testing and Fuzzing WebSocket Implementations with IronWASP. Looks like it has a nice set of tools for training and getting started with Web Socket Security. I stumbled upon this a few days ago but didn't get a chance to actually try their demo out. Just to give a summary of that blog post -- the author has added 5 new tools to IronWASP (an Open Source Advanced Web Security Testing Platform) dedicated to Web Socket testing:

1) WebSocket Message Analyzer: An utility to analyse complex WebSocket implementations in a simple way. Check out this report of of our WebSocket Demo Application.

2) Online Cross-Site WebSocket Hijacking Tester: An online tool to easily check for CSWSH issues. Check it out here. To understand more about Cross-Site WebSocket Hijacking check out this post on NotSoSecure

3) WebSocket Client: Versatile WebSocket client that lets you send store and send multiple messages along with setting custom Origin and Cookie headers. Perfect for checking Cross-Site WebSocket Hijacking and other WebSocket issues.

4) WebSocket Scripting API for Python and Ruby: To automated checks and write custom fuzzers for WebSocket implementations. Generic fuzzers don't work for asynchronous protocols like WebSockets.

5) WebSocket Demo App: A sample vulnerable application that is built to use WebSockets heavily. Good test bed to test and learn WebSocket security testing.

Again, I haven't had a chance to try these out yet, but this one looked interesting.

Please feel free to share any other resources you guys may have in comments, answers or even by adding them to my post. It'd be nice to have a comprehensive list of resources for training purpose. Here are some other resources on Web Socket Security:

  • Nice intro to WebSocket and its Security
  • Heroku's Dev Center - WebSocket Security

You should check out OWASP's Damn Vulnerable Web Sockets

To install docker container docker pull tssoffsec/dvws

to run, docker run -d -p 80:80 -p 8080:8080 tssoffsec/dvws

Tags:

Websocket