https://github.com/ivan-sincek/websocket-bf

Brute force a REST API query through WebSocket. Based on cURL.
https://github.com/ivan-sincek/websocket-bf

bash brute-force cracking curl dictionary-attack ethical-hacking fuzzing networking offensive-security rest-api security websocket

Last synced: 3 months ago
JSON representation

Brute force a REST API query through WebSocket. Based on cURL.

• Host: GitHub
• URL: https://github.com/ivan-sincek/websocket-bf
• Owner: ivan-sincek
• License: mit
• Archived: true
• Created: 2020-07-09T11:43:23.000Z (almost 5 years ago)
• Default Branch: master
• Last Pushed: 2023-04-27T20:59:48.000Z (about 2 years ago)
• Last Synced: 2025-02-16T14:56:51.966Z (3 months ago)
• Topics: bash, brute-force, cracking, curl, dictionary-attack, ethical-hacking, fuzzing, networking, offensive-security, rest-api, security, websocket
• Language: Shell
• Homepage:
• Size: 3.91 KB
• Stars: 9
• Watchers: 2
• Forks: 5
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# WebSocket BF

Brute force a REST API query through WebSocket. Based on cURL.

Tweak this tool to fit your scenario by modifying HTTP request headers and/or query strings within the script.

Tested on [socket.io](https://socket.io).

Tested on Kali Linux v2021.2 (64-bit).

Made for educational purposes. I hope it will help!

## How to Run

Open your preferred console from [/src/](https://github.com/ivan-sincek/websocket-bf/tree/master/src) and run the commands shown below.

Install required packages:

```fundamental

apt-get -y install bc jq

```

Change file permissions:

```fundamental

chmod +x websocket_bf.sh

```

Run the script:

```fundamental

./websocket_bf.sh

```

## Usage

```fundamental

WebSocket BF v1.9 ( github.com/ivan-sincek/websocket-bf )

--- Single request ---

Usage:   ./websocket_bf.sh -d domain              -p payload                             [-t token            ]

Example: ./websocket_bf.sh -d https://example.com -p '42["verify","{\"otp\":\"1234\"}"]' [-t xxxxx.yyyyy.zzzzz]

--- Brute force ---

Usage:   ./websocket_bf.sh -d domain              -p payload                                     -w wordlist             [-t token            ]

Example: ./websocket_bf.sh -d https://example.com -p '42["verify","{\"otp\":\"\"}"]' -w all_numeric_four.txt [-t xxxxx.yyyyy.zzzzz]

DESCRIPTION

    Brute force a REST API query through WebSocket

DOMAIN

    Specify a target domain and protocol

    -d  - https://example.com | https://192.168.1.10 | etc.

PAYLOAD

    Specify a query/payload to brute force

    Make sure to enclose it in single quotes

    Mark the injection point with 

    -p  - '42["verify","{\"otp\":\"\"}"]' | etc.

WORDLIST

    Specify a wordlist to use

    -w  - all_numeric_four.txt | etc.

TOKEN

    Specify a token to use

    -t  - xxxxx.yyyyy.zzzzz | etc.

```