Skip to main content
WebSocket protocol templates enable testing of WebSocket endpoints, real-time communication, and bidirectional data exchange vulnerabilities.

Basic WebSocket request

id: basic-websocket

info:
  name: Basic WebSocket Request
  author: pdteam
  severity: info

websocket:
  - address: '{{Scheme}}://{{Hostname}}'
    inputs:
      - data: hello
    
    matchers:
      - type: word
        words:
          - world

WebSocket components

Address

address
string
required
WebSocket URL to connect to. Supports ws:// and wss:// schemes.
websocket:
  - address: 'ws://{{Hostname}}/socket'
Use {{Scheme}} to automatically use ws:// or wss://:
websocket:
  - address: '{{Scheme}}://{{Hostname}}/realtime'

Inputs

inputs
array
Messages to send over the WebSocket connection.
websocket:
  - address: 'ws://{{Hostname}}/chat'
    inputs:
      - data: '{"action":"subscribe"}'
      - data: '{"action":"message","text":"test"}'

Headers

headers
object
Custom headers for the WebSocket handshake.
websocket:
  - address: 'wss://{{Hostname}}/ws'
    headers:
      Origin: "https://{{Hostname}}"
      Authorization: "Bearer {{token}}"

Example: WebSocket echo test

id: websocket-echo

info:
  name: WebSocket Echo Test
  author: pdteam
  severity: info
  description: Tests WebSocket echo functionality

websocket:
  - address: 'ws://{{Hostname}}/echo'
    inputs:
      - data: 'test-message-{{rand_int(1000,9999)}}'
    
    matchers:
      - type: word
        words:
          - 'test-message-'

Example: WebSocket authentication bypass

id: websocket-auth-bypass

info:
  name: WebSocket Authentication Bypass
  author: researcher
  severity: high
  description: Tests for missing authentication on WebSocket endpoints

websocket:
  - address: 'wss://{{Hostname}}/admin/ws'
    inputs:
      - data: '{"action":"getUsers"}'
    
    matchers:
      - type: word
        words:
          - '"users"'
          - '"admin"'
        condition: and

Example: WebSocket injection

id: websocket-xss

info:
  name: WebSocket XSS Testing
  author: researcher
  severity: medium

websocket:
  - address: 'ws://{{Hostname}}/chat'
    inputs:
      - data: '{"message":"<script>alert(1)</script>"}'
    
    matchers:
      - type: word
        words:
          - '<script>alert(1)</script>'

Payloads with WebSocket

id: websocket-command-injection

info:
  name: WebSocket Command Injection
  author: researcher
  severity: critical

websocket:
  - address: 'ws://{{Hostname}}/api/execute'
    inputs:
      - data: '{"cmd":"{{payload}}"}'
    
    payloads:
      payload:
        - "id"
        - "whoami"
        - "cat /etc/passwd"
    
    matchers:
      - type: regex
        regex:
          - "uid=[0-9]+.*gid=[0-9]+"
          - "root:x:[0-9]+:[0-9]+"
        condition: or

WebSocket response parts

response
string
WebSocket response messages (default)
matchers:
  - type: word
    part: response
    words:
      - "connected"
request
string
WebSocket request messages sent
success
boolean
Whether WebSocket connection succeeded
matchers:
  - type: dsl
    dsl:
      - "success == true"

Next steps

WHOIS protocol

Domain registration testing

JavaScript protocol

Custom protocol logic

Build docs developers (and LLMs) love

Get started for freeTalk to us