{"id":13762703,"url":"https://github.com/PalindromeLabs/STEWS","last_synced_at":"2025-05-10T15:31:41.048Z","repository":{"id":51164613,"uuid":"426818136","full_name":"PalindromeLabs/STEWS","owner":"PalindromeLabs","description":"A Security Tool for Enumerating WebSockets","archived":false,"fork":false,"pushed_at":"2022-01-10T16:58:54.000Z","size":4067,"stargazers_count":334,"open_issues_count":0,"forks_count":39,"subscribers_count":7,"default_branch":"main","last_synced_at":"2024-11-16T21:33:07.096Z","etag":null,"topics":["penetration-testing","penetration-testing-tools","security","web-application-security","websocket","websocket-security","websockets","websockets-security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PalindromeLabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-11-11T00:13:40.000Z","updated_at":"2024-11-12T03:09:57.000Z","dependencies_parsed_at":"2022-08-31T19:41:47.262Z","dependency_job_id":null,"html_url":"https://github.com/PalindromeLabs/STEWS","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PalindromeLabs%2FSTEWS","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PalindromeLabs%2FSTEWS/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PalindromeLabs%2FSTEWS/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PalindromeLabs%2FSTEWS/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PalindromeLabs","download_url":"https://codeload.github.com/PalindromeLabs/STEWS/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253436522,"owners_count":21908350,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["penetration-testing","penetration-testing-tools","security","web-application-security","websocket","websocket-security","websockets","websockets-security"],"created_at":"2024-08-03T14:00:54.268Z","updated_at":"2025-05-10T15:31:40.658Z","avatar_url":"https://github.com/PalindromeLabs.png","language":"Python","readme":"# STEWS: Security Testing and Enumeration of WebSockets\n\n![STEWS cauldron image](stews-image.jpg)\n\nSTEWS is a tool suite for security testing of WebSockets\n\nThis research was first presented at\n[OWASP Global AppSec US 2021](https://www.youtube.com/watch?v=bMFP71UAbPo)\n\n## Features\nSTEWS provides the ability to:\n- **Discover**: find WebSockets endpoints on the web by testing a list of domains\n- **Fingerprint**: determine what WebSockets server is running on the endpoint\n- **Vulnerability Detection**: test whether the WebSockets server is vulnerable to a known WebSockets vulnerability\n\nThe included whitepaper in this repository provides further details of\nthe research undertaken.\nThe included slide deck was presented at OWASP AppSec US 2021.\n\nComplementary respositories created as part of this research include:\n- The [Awesome WebSocket Security repository](https://github.com/PalindromeLabs/awesome-websocket-security), which compiles WebSockets security information\nfor future researchers\n- The [WebSockets-Playground repository](https://github.com/PalindromeLabs/WebSockets-Playground), which is a script to easily jump start\nmultiple local WebSocket servers in parallel\n\n## Installation \u0026 Usage\n\nEach portion of STEWS (discovery, fingerprinting, vulnerability detection)\nhas separate instructions. Please see the README in each respective folder.\n\n### WebSocket Discovery\n\nSee the [discovery README](discovery/README.md)\n\n### WebSocket Fingerprinting\n\nSee the [fingerprinting README](fingerprint/README.md)\n\n### WebSocket Vulnerability Detection\n\nSee the [vulnerability detection README](vuln-detect/README.md)\n\n## Why this tool?\n\nWebSocket servers have been largely ignored in security circles.\nThis is partially due to three hurdles that have not been clearly\naddressed for WebSocket endpoints:\n\n1. Discovery\n2. Enumeration/fingerprinting\n3. Vulnerability detecting\n\nSTEWS attempts to address these three points. A custom tool was required\nbecause there is a distinct lack of support for manually configured WebSocket\ntesting in current security testing tools:\n\n1. There is a general lack of supported and scriptable WebSocket security testing tools\n(for example, NCC's unsupported [wssip tool](https://github.com/nccgroup/wssip/issues),\n[nuclei's lack of WebSocket support](https://github.com/projectdiscovery/nuclei/issues/539),\nand [nmap's lack of WebSocket support](https://seclists.org/nmap-dev/2015/q1/134))\n2. Burp Suite lacks support for WebSocket extensions (for example, see [this PortSwigger forum thread](https://forum.portswigger.net/thread/websockets-api-support-c8e1660b9f0ab) and [this one](https://forum.portswigger.net/thread/websocket-api-07e77f9ee3dd58552eb770)).\n3. There is a lack of deeper WebSocket-specific security research (the [Awesome WebSocket Security repository](https://github.com/PalindromeLabs/awesome-websocket-security) lists published WebSockets security research)\n4. The proliferation of WebSockets around the modern web (as seen in the results\nof the STEWS discovery tool)\n","funding_links":[],"categories":["Weapons","Python","2011"],"sub_categories":["Tools","2021"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPalindromeLabs%2FSTEWS","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FPalindromeLabs%2FSTEWS","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPalindromeLabs%2FSTEWS/lists"}