Skip to content

Instantly share code, notes, and snippets.

@Lavakumar
Lavakumar / cswsh.py
Created Nov 27, 2014
Python Script to check if target is vulnerable to Cross-SIte WebSocket Hijacking using Private IP Addresses as Origin
View cswsh.py
#import the required binaries and namespaces
import clr
clr.AddReference("WebsocketClient.exe")
from WebsocketClient import *
#Make WebSocket connection to target using the supplied Origin and check if it sends messages like it does for valid sessions
def check_conn(origin):
print "Testing origin - " + origin
ws = SyncWebsockClient()
ws.Connect("ws://tatgetapp.com/ws", origin, "SessionID=KSDI2923EWE9DJSDS01212")
@Lavakumar
Lavakumar / WebSocketCommandEnumerator.py
Last active Mar 7, 2016
Python Script for Enumerating Commands used in WebSocket Demo App
View WebSocketCommandEnumerator.py
#import the required binaries and namespaces
import clr
clr.AddReference("WebsocketClient.exe")
from WebsocketClient import *
#the templates for WebSocket messages used in WebSocket Demo App
create_session_msg = '{"cmd":"startSession"}'
get_prod_msg = '{"cmd":"getProduct", "sessionId":"", "id":0}'
get_error_msg = '{"cmd":"getError", "sessionId":""}'
check_cmd_msg = '{"cmd":"someCommand", "sessionId":""}'
@Lavakumar
Lavakumar / WebSocketFuzzer.py
Last active Mar 7, 2016
Python Script for Fuzzing the IronWASP WebSocket Demo Application
View WebSocketFuzzer.py
#import the required binaries and namespaces
import clr
clr.AddReference("WebsocketClient.exe")
from WebsocketClient import *
#the websocket message templates used by WebSocket DemoApp
create_session_msg = '{"cmd":"startSession"}'
get_prod_msg = '{"cmd":"getProduct", "sessionId":"", "id":0}'
get_error_msg = '{"cmd":"getError", "sessionId":""}'
@Lavakumar
Lavakumar / WAP_Challenge_1_Solution_in_Ruby.rb
Last active Dec 26, 2015
Ruby script written using IronWASP APIs to solve Pentester Academy's WAP Challenge -1. Link to challenge - http://www.pentesteracademy.com/video?id=153
View WAP_Challenge_1_Solution_in_Ruby.rb
#Script to help solve http://www.pentesteracademy.com/video?id=153
#This script can be run from the multi-line scripting shell of IronWASP v0.9.7.2 and above
#Make sure the scripting shell language is selected as Ruby before executing
#The log id value here is one 1. The id value must point to the log containing the login request
r = Request.from_proxy_log(1)
r.query.set("email", "jack@pentesteracademy.com")
bf = BruteForcer.new("xyz", 5,5)
while bf.has_more
@Lavakumar
Lavakumar / WAP_Challenge_1_Solution_in_Python.py
Last active May 24, 2016
Python script written using IronWASP APIs to solve Pentester Academy's WAP Challenge -1. Link to challenge - http://www.pentesteracademy.com/video?id=153
View WAP_Challenge_1_Solution_in_Python.py
#Script to help solve http://www.pentesteracademy.com/video?id=153
#This script can be run from the multi-line scripting shell of IronWASP v0.9.7.2 and above
#Make sure the scripting shell language is selected as Python before executing
#The log id value here is one 1. The id value must point to the log containing the login request
r = Request.FromProxyLog(1)
r.Query.Set("email", "jack@pentesteracademy.com")
bf = BruteForcer("xyz", 5,5)
while bf.HasMore():