Testing WebSocket API Security

When to Use

• Assessing real-time communication APIs that use WebSocket (ws://) or Secure WebSocket (wss://) protocols
• Testing for Cross-Site WebSocket Hijacking (CSWSH) where an attacker's page connects to a legitimate WebSocket server
• Evaluating authentication and authorization enforcement on WebSocket connections and messages
• Testing input validation on WebSocket message payloads for injection vulnerabilities
• Assessing WebSocket implementations for denial-of-service through message flooding or oversized frames

Do not use without written authorization. WebSocket testing may disrupt real-time services and affect other connected users.

Prerequisites

• Written authorization specifying the WebSocket endpoint and testing scope
• Burp Suite Professional with WebSocket interception capability
• Python 3.10+ with websockets and asyncio libraries
• Browser developer tools for observing WebSocket handshakes and frames
• wscat CLI tool for manual WebSocket interaction: npm install -g wscat
• Knowledge of the WebSocket subprotocol in use (JSON-RPC, STOMP, custom)