WebSocket Turbo Intruder Unearthing the WebSocket Goldmine #1416
+2,580
−89
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Remove searchindex.js (auto-generated file)
… for Andr... - Remove searchindex.js (auto-generated file)
added 5 commits
September 16, 2025 01:19
…Misuse an... - Remove searchindex.js (auto-generated file)
- Remove searchindex.js (auto-generated file)
… Top-Up i... - Remove searchindex.js (auto-generated file)
- Remove searchindex.js (auto-generated file)
…Goldmine - Remove searchindex.js (auto-generated file)
🔗 Additional ContextOriginal Blog Post: https://portswigger.net/research/websocket-turbo-intruder-unearthing-the-websocket-goldmine Content Categories: Based on the analysis, this content was categorized under "Generic Hacking > Web Application Hacking > WebSockets & Socket.IO (Fuzzing, Races, DoS) with Turbo Intruder". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
…250827_141120 HTB TheFrizz
…to_remote_contr_20250909_125805
…n__From_NFC_heists_to_remote_contr_20250909_125805 The Rise of RatOn From NFC heists to remote control and ATS
…armful_Content__20250916_011545
…e_Assistant_LLMs__Harmful_Content__20250916_011545 The Risks of Code Assistant LLMs Harmful Content, Misuse and...
…anner_20250916_123725
…I_ML_pickle_file_scanner_20250916_123725 Fickling’s new AI/ML pickle file scanner
…_Leading_to_Fre_20250916_183659
…bility_Exploitation_Leading_to_Fre_20250916_183659 NFC Card Vulnerability Exploitation Leading to Free Top-Up i...
…_Builder_to_Cod_20250916_184356
…urtain__From_RAT_to_Builder_to_Cod_20250916_184356 Under the Pure Curtain From RAT to Builder to Coder
…g_the_WebSocket_20250917_182701
|
merge |
github-actions
bot
force-pushed
the
master
branch
from
bbe2c10 to
c9a918e
Compare
carlospolop
deleted the
update_WebSocket_Turbo_Intruder__Unearthing_the_WebSocket_20250917_182701
branch
github-actions bot
pushed a commit
that referenced
this pull request
Sep 29, 2025
…Intruder__Unearthing_the_WebSocket_20250917_182701 WebSocket Turbo Intruder Unearthing the WebSocket Goldmine
carlospolop
added a commit
that referenced
this pull request
Sep 29, 2025
…Intruder__Unearthing_the_WebSocket_20250917_182701 WebSocket Turbo Intruder Unearthing the WebSocket Goldmine
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
What the post delivers
A hands-on guide to WebSocket Turbo Intruder (a Burp Suite extension) that brings Turbo Intruder–style Python scripting and high‑rate fuzzing to WebSockets, plus concrete exploitation workflows (Socket.IO handling, server-side prototype pollution detection, race‑condition testing), a denial‑of‑service PoC, an HTTP middleware to auto‑scan WS apps, a CLI, and a WS logger.
Install and scope
• Install from the <a href="https://portswigger.net/bap...
🔧 Technical Details
Bridge WS behind HTTP to auto-scan: Wrap a persistent WS connection with a local HTTP endpoint and forward request bodies as WS messages. Use regex decorators (e.g.,
@MatchRegex) to filter noise so generic HTTP scanners can reliably probe server-side sinks (SQLi, auth bypass, command injection).Socket.IO handshake + heartbeat scripting: Detect
EIO=4, send the opening"40"packet, then emit events (e.g.,42["message","hello"]) while automating heartbeats via@PingPong("2","3")/@Pong("3"). This keeps sessions stable for high‑rate fuzzing.Prototype-pollution detection via WS payloads: Send
{"__proto__":{"initialPacket":"Polluted"}}through Socket.IO. If the greeting or behavior changes, you’ve polluted server-side prototypes (often Express internals). Generalize by probing for server behaviors that read prototype-inherited properties.Concurrent WS race...
🤖 Agent Actions
I analyzed the PortSwigger research post and explored the HackTricks repository to find the best places to integrate the techniques. The existing “WebSocket Attacks” page was the right place to add Turbo Intruder for WebSockets, Socket.IO protocol handling, server-side prototype pollution detection via WS payloads, the WS “Ping of Death” DoS PoC, CLI usage, and the HTTP middleware/adapter technique. I also expanded the “Race Condition” page to cover WebSocket races using Turbo Intruder’s THREADED engine.
What I changed:
Updated src/pentesting-web/websocket-attacks.md:
Updated src/pentesting-web/race-condition.md:
No new files were created; all changes were made to the most relevant existing pages.
Notes:
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.
🗑️ File Cleanup