WSSiP: A WebSocket Manipulation Proxy
Written by: Samantha Chalker
WSSiP is a tool for viewing, interacting with, and manipulating WebSocket messages between a browser and web server.
All modern browsers have full support for WebSockets. As WebSocket use is expected to become more common in the near future, better tools for testing are needed. A tool that can help debug and fuzz without relying on complicated and time-consuming methods would be especially useful. For example, Burp Suite only displays the history of all WebSocket messages in one tab and can intercept messages, but you cannot send your own. Other intercepting proxies either are a bit complicated to use, just starting to implement this feature, or do not implement WebSocket debugging at all. Some of NCC Group’s consultants have had to manually fiddle with browser developer tools in order to send messages and test, which made testing clients’ software more time-consuming.
WSSiP aims to solve that problem. This tool complements other intercepting proxies by providing a user interface to capture, intercept, and send messages and view all communications between client and server. It includes support for an upstream proxy, allowing it to be part of a multi-proxy chain between browser and web server, concentrating on WebSockets while leaving more typical HTTP interception to other tools such as Burp Suite or Pappy Proxy.
WSSiP is programmed in and runs on Node.js 7.0+. It uses Electron for the application interface, and React & Material UI for the user interface inside the application.
WSSiP can be launched one of three ways. The first is to download and run a pre-compiled binary for either Windows, Mac OS X or Linux. Those can be found on the GitHub Release page.
The second is to install via npm:
npm install -g wssip
Installing WSSiP via
npm allows the
wssip command to be run in the command line to open up the application.
The third is to download the source from GitHub and follow the instructions in the README.
For an example of how WSSiP works, we’re going to use the example chat from Socket.io. First, we launch WSSiP:
Looking back at WSSiP, which is being connected to by Autochrome, a new connection is added under our Active Connections tab:
Clicking on the connection will open up the History, Custom, and Intercept tabs for the WebSocket connection. Here you can select an individual message to view the contents of what was sent, in what direction, etc.:
Now, let’s open up a vanilla Chrome instance and open up the Socket.io chat example hosted on localhost:3000, the same one that Person1 is using, and enter in “Person2” as a name.
Back to our Autochrome instance; some test data:
Because we want to interact with the test chat from our client, we’ll mimic the “send message to room” data that Socket.io was sending to the server:
While the “HELLO FROM WSSIP” message doesn’t quite appear in our Autochrome instance, the vanilla Chrome user will immediately see:
Finally, when we close our Autochrome connection and, thus, the WebSocket connection, is it closed? The WebSocket connection is simply moved to the “Inactive Connections” tab where we can still review the message history:
WSSiP represents a great asset to debugging and fuzzing WebSocket connections. As this tool is used in more assessments, there may be unexpected bugs that arise from using WSSiP, and I encourage you to file a bug report in the Issues section of the WSSiP GitHub repository. Additionally, features such as saving to and loading from a file for existing connections and their message history are still a work in progress and will come in a future version.
For more information on the WebSocket RFC specification, see RFC 6455.
Originally published at www.nccgroup.trust.