WebSocket Pentesting Guide - With Examples & Techniques

What is WebSocket?​

WebSocket is a communication protocol that provides full-duplex communication over a single TCP connection. Unlike HTTP, WebSocket enables real-time, low-latency interaction between client and server.
Used in:
Chat applications
Live sports updates
Stock trading platforms
Multiplayer games

Why Pentest WebSockets?​

WebSockets bypass traditional HTTP security controls like WAFs and CSRF protections, making them attractive targets for attackers.

WebSocket Pentesting Methodology

1. Discovering WebSocket Endpoints​

Intercept traffic using:
Burp Suite (with WebSockets tab)
Browser Dev Tools (Network → WS)
Look for:

ws:// or wss:// URLs (e.g., ws://example.com/socket)

2. Inspecting WebSocket Handshake​

A typical handshake looks like:

GET /socket HTTP/1.1 
Host: example.com 
Upgrade: websocket 
Connection: Upgrade 
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== 
Sec-WebSocket-Version: 13

Check for missing headers, weak origin validation, or upgrade vulnerabilities.

3. Testing for Vulnerabilities​

a. No Authentication / Authorization
Send messages after login, copy those messages and try them without logging in.
> If the server accepts unauthenticated messages → it's vulnerable.
Test Case:
Try using another user’s token or send the request without a token.

b. Insecure Message Structure
Messages are often JSON. You can manipulate parameters inside.
Example:
{ "action": "getUserData", "userID": "123" }
Try changing userID to another user’s ID.

c. IDOR (Insecure Direct Object Reference)
If you can access or modify resources by changing IDs in WebSocket messages.
Example Payload:
{ "action": "deleteMessage", "messageID": "456" }
Try guessing other messageID values.

d. Command Injection / Code Execution
Poor server-side input validation can lead to code execution.
Test:
Try injecting payloads in message fields like:
{ "username": "admin'; system('ls'); //" }

e. Sensitive Data Exposure
Sometimes sensitive data is pushed to all connected clients.
Check:
Monitor all broadcast messages → do they include private info?

f. Improper Origin Check / CSRF
WebSocket connections must verify the Origin header. If missing:
> An attacker can connect to the socket from another domain!
Test:
Send WebSocket handshake with a different Origin: header.

g. DoS via Message Flooding
Try flooding the server with multiple large messages to see if it crashes.
Tools:
Use Burp Intruder or custom Python scripts.

Tools for WebSocket Pentesting
Tool Purpose
Burp Suite Intercept & modify WS traffic
ZAP Proxy WebSocket fuzzing
wscat CLI tool to interact with WS
websocat Flexible WebSocket client
custom Python Use websocket-client module

Example using wscat
Install:
npm install -g wscat
Connect to WebSocket:
wscat -c ws://example.com/socket
Send test message:
{ "action": "getUserData", "userID": "1" }

Remediation Best Practices
Always authenticate WS connections
Validate user input & output
Implement rate limiting
Sanitize all incoming data
Use secure WebSocket (wss://)
Apply proper origin checks

Final Thoughts
WebSockets open the door to fast, real-time communication, but also introduce unique security challenges. Treat WebSocket endpoints as critical attack surfaces and include them in your pentesting scope.