A WebSocket Manipulation Proxy: WSSiP

2017-08-08T19:45:07
ID N0WHERE:172013
Type n0where
Reporter N0where
Modified 2017-08-08T19:45:07

Description

Short for “WebSocket/Socket.io Proxy”, this tool, written in Node.js, provides a user interface to capture, intercept, send custom messages and view all WebSocket and Socket.IO communications between the client and server. Upstream proxy support also means you can forward HTTP/HTTPS traffic to an intercepting proxy of your choice (e.g. Burp Suite or Pappy Proxy) but view WebSocket traffic in WSSiP. More information can be found on the blog post.

There is an outward bridge via HTTP to write a fuzzer in any language you choose to debug and fuzz for security vulnerabilities.

Installation


From npm/yarn (for CLI commands)

Run the following in your command line:

npm :

# Install Electron globally
npm i -g electron@1.7

# Install wssip global for "wssip" command
npm i -g wssip

# Launch!
wssip

yarn : (Make sure the directory in yarn global bin is in your PATH )

yarn global add electron@1.7
yarn global add wssip
wssip

You can also run npm install electron (or yarn add electron ) inside the installed WSSiP directory if you do not want to install Electron globally, as the app packager requires Electron be added to developer dependencies.

Usage

  1. Open the WSSiP application.
  2. WSSiP will start listening automatically. This will default to localhost on port 8080.
  3. Optionally, use Tools > Use Upstream Proxy to use another intercepting proxy to view web traffic.
  4. Configure the browser to point to http://localhost:8080/ as the HTTP Proxy.
  5. Navigate to a page using WebSockets. A good example is the WS Echo Demonstration .
  6. ???
  7. Potato.

A WebSocket Manipulation Proxy: WSSiP Download