Enterprise-Grade WebSocket Security Assessment Framework
WS Tester Pro is an enterprise-grade WebSocket penetration testing framework with rule-based validation, multi-stage verification, and adaptive payload generation. It runs 38+ automated security tests across 22 attack modules, validated against benchmark labs (DVWA, WebGoat, Juice Shop), and generates OWASP-format reports β all from your browser or the command line.
The False-Negative Reduction System is a comprehensive enhancement that transforms WS Tester Pro into an enterprise-grade security testing platform competitive with Burp Suite and OWASP ZAP.
| Feature | Description |
|---|---|
| π― Rule-Based Validation | Pattern-matching validation with confidence scoring across 8 attack types; sklearn ML training pipeline available for custom model training |
| π Multi-Stage Verification | 4-stage verification process (payload, response pattern, behavioral, timing) |
| 𧬠Adaptive Payloads | Automatically generates alternative payloads to bypass WAFs and defenses |
| π Benchmark Framework | Validated against DVWA, WebGoat, and Juice Shop with comprehensive test coverage |
| π Enterprise Security | RBAC with 3 roles, HMAC-SHA256 audit logging, AES-256 encryption |
| π Plugin System | Dynamic loading of custom attack modules with hot-reload support |
| β‘ Performance Optimized | Async I/O, connection pooling, caching, and backpressure handling |
| π Advanced Monitoring | Distributed tracing, structured logging, Prometheus metrics |
User Request β Scanner β Detection Engine β Rule Engine / ML Validator
β Multi-Stage Verifier
β Adaptive Payload Generator
β False Positive Validator
β Confidence Scorer
β Audit Logger
- π Architecture Documentation - System architecture and component design
- π API Documentation - REST API and WebSocket event reference
- π CI/CD Pipeline - Quality gates and deployment automation
- π Security Scanning - Security tools and best practices
- π§© Plugin Development Guide - Create custom attack modules
- π Deployment Guide - Production deployment procedures
- βοΈ Configuration Guide - Complete configuration reference
- π³ Docker Guide - Container deployment and optimization
Docker is optional. If you don't have Docker installed (e.g. you see:
docker : The term 'docker' is not recognized), you can still run everything with Python using the Installation / Quick Start steps below. Docker/Compose is only for easy hosting (running Dashboard + OOB server together).
| Feature | Description |
|---|---|
| π Auto Scanner | Discovers WS endpoints & runs 30+ vulnerability tests across 14 modules |
| π Authenticated Scan | Reuse login (token/cookie/headers) to scan protected WebSockets |
| π Response Diff Tool | Compare authenticated vs unauthenticated WebSocket responses to detect authorization bypass & data leaks |
| π Auto-Diff | One-click automated dual-connection diffing β connects with & without auth, flags sensitive field leaks |
| π― Bug Bounty Mode | One-click copy of HackerOne/Bugcrowd-ready markdown reports |
| π Multi-Format Reports | PDF, HTML, JSON, and SARIF (CI/CD) export |
| π€ AI Analysis | Anthropic Claude integration for attack chain analysis & prioritized remediation |
| π΅οΈ Live Interceptor / MITM Proxy | Real WebSocket man-in-the-middle proxy to capture, filter, hold, modify & replay live traffic |
| β‘ Turbo Intruder | High-speed message sender for race conditions, burst tests, and OTP brute-forcing |
| π€ AI-Powered Fuzzer | Dynamic, context-aware payload generation via Claude API for zero-day hunting |
| π Schema Builder | Auto-infer robust API data models from live WS traffic & export to Markdown/HTML |
| π Multi-Target Scan | Bulk scan sequentially (CLI) or concurrently via Dashboard modal |
| 𧨠WebSocket Fuzzer | Auto-detect crashes, DoS, and error leaks with malformed payloads |
| π¨ 120Hz Smooth UI | GPU-accelerated animations with cubic-bezier easing & hardware compositing | | π Advanced Dropdowns | Custom dropdown elements with built-in sticky search filters for massive datasets | | π WeasyPrint PDF Reports | High-fidelity, pixel-perfect OWASP format reports with 5-10x faster generation than Playwright |
| β Validation & Confidence Scoring | Intelligent false positive reduction with response validation, confidence scoring, and sensitive pattern detection |
|---|---|
| π Custom Payloads System | 9 built-in payload libraries (SQLi, XSS, SSTI, SSRF, CMDi, NoSQL, XXE, Path Traversal, Fuzzing) with drag-and-drop upload, deduplication, sorting & merge mode |
| ποΈ Auto-Drop Rules | Filter noise (heartbeats, telemetry) out of the live traffic feed silently using regex patterns |
| π Match & Replace | On-the-fly regex payload rewriting in either direction (C2S/S2C/Both) without pausing traffic |
| π Repeater Modal | Edit & Replay captured packets to either client or server using a dedicated editing interface |
| π§ Scan Profiles | Save, load, and delete scan configurations with custom in-app confirmation modals |
| β‘ Fast/Deep Modes | Quick scans or comprehensive audits |
| π₯οΈ CLI + Dashboard | Launch the dashboard directly with python main.py |
| π Concurrent Scanning | Parallel endpoint testing (3/5/10 threads) |
| βΈ Pause & Resume | Pause scans and resume without losing progress |
| π Session History | Save, load, and compare scan sessions |
| π‘οΈ WAF Bypass Engine | 10+ encoding techniques (Unicode, Double-URL, Full-width) to evade Cloudflare, AWS, and Akamai |
| π°οΈ Dual-Mode OOB Proof | Automated Interactsh (oast.fun) or custom server for blind vulnerability (SSRF/XXE/CMDi) confirmation |
| π Dark/Light Theme | Toggle between themes with Ctrl+Shift+T |
| β¨οΈ Keyboard Shortcuts | Fast workflow with keyboard shortcuts |
| π Notifications | Browser notifications + sound on scan complete |
| π± Responsive UI | Works on desktop, tablet, and mobile screens |
| π¨ 120Hz Smooth UI | GPU-accelerated animations with cubic-bezier easing & hardware compositing |
452 vulnerabilities discovered with severity breakdown: 128 Critical, 205 High, 98 Medium, 21 Low.
Copy HackerOne/Bugcrowd-ready markdown reports with one click β each finding includes CVSS scores, reproduction steps, and remediation.
Real-time scan activity with color-coded severity levels, timestamps, and module-by-module progress tracking.
WebSocket man-in-the-middle proxy with traffic capture, search, filter, hold/forward/drop, and replay capabilities.
Auto-Diff detecting CRITICAL authorization bypass: 11 sensitive fields leaked including API keys, admin panel paths, database URIs, and internal IPs.
Authenticated vs unauthenticated response comparison β no bypass detected when the server correctly enforces authorization.
Premium animated UI with glowing segmented buttons β testing maximum throughput via Burst Test mode.
Context-aware inputs like OTP digit configuration and templating for brute-force attacks.
Live execution results showcasing animated gradient stat cards, duplicate detection, and scrolling response timeline.
Claude-powered context-aware exploit generator with selectable attack categories (SQLi, NoSQLi, XSS, IDOR, CMDi). Reads live traffic schemas and smartly generates zero-day hunting payloads.
Advanced payload management with 9 built-in libraries, one-click deduplication & sorting, merge mode toggle, drag-and-drop file upload, and live payload count.
WS Tester Pro includes an intelligent false positive reduction system that validates findings and assigns confidence scores to help you focus on real vulnerabilities.
| Feature | Description |
|---|---|
| π― Response Validation | Validates server responses against expected vulnerability indicators |
| π Confidence Scoring | Assigns confidence scores (0-100) based on multiple validation signals |
| π Sensitive Pattern Detection | Detects leaked credentials, tokens, PII, and internal paths in responses |
| β‘ Baseline Caching | Caches baseline responses for efficient diff-based validation |
| π¨ Normalization Engine | Normalizes responses to reduce noise from dynamic content |
| π Configurable Rules | Customize validation rules via config/validation.json |
- Baseline Capture: First request establishes a baseline response
- Attack Execution: Malicious payloads are sent to the target
- Response Validation: Responses are validated against vulnerability-specific patterns
- Confidence Calculation: Multiple signals combined into a confidence score:
- Response validation results (40% weight)
- Sensitive pattern detection (30% weight)
- Diff analysis vs baseline (20% weight)
- Attack-specific indicators (10% weight)
- False Positive Filtering: Low-confidence findings can be filtered out
| Score Range | Interpretation | Action |
|---|---|---|
| 90-100 | Very High Confidence | Immediate investigation required |
| 70-89 | High Confidence | Likely real vulnerability |
| 50-69 | Medium Confidence | Manual verification recommended |
| 30-49 | Low Confidence | Possible false positive |
| 0-29 | Very Low Confidence | Likely false positive |
Customize validation behavior in config/validation.json:
{
"enabled": true,
"confidence_threshold": 50,
"baseline_cache_ttl": 3600,
"normalization": {
"remove_timestamps": true,
"remove_session_ids": true,
"remove_dynamic_values": true
},
"sensitive_patterns": {
"credentials": ["password", "secret", "api_key"],
"tokens": ["jwt", "bearer", "session"],
"pii": ["ssn", "credit_card", "email"]
}
}See config/validation_config_README.md for complete configuration documentation.
Use the included Vulnerable Lab Server to test validation features:
# Terminal 1: Start the vulnerable lab server
python mock_server.py
# Terminal 2: Run WS Tester Pro
python main.py --target ws://localhost:8765The mock server implements 20+ vulnerability types with realistic responses for testing validation accuracy. See MOCK_SERVER_README.md for complete lab documentation.
| Test | Module | Description |
|---|---|---|
| JWT None Algorithm | auth.py |
Bypass JWT verification using alg: none |
| JWT Algorithm Confusion | auth.py |
Switch RS256 β HS256 with public key as secret |
| JWT Token Manipulation | auth.py |
Modify claims (role, user ID, admin flags) |
| JWT Secret Cracker | auth.py |
High-speed dictionary attack to crack weak HMAC secrets |
| CSWSH (Cross-Site WS Hijacking) | auth.py |
Test Origin header validation |
| Auth Bypass | auth.py |
Attempt accessing authenticated endpoints without credentials |
| Test | Module | Description |
|---|---|---|
| SQL Injection | injection.py |
Union, blind, time-based, error-based SQLi |
| XSS (Cross-Site Scripting) | injection.py |
Reflected, stored, DOM-based XSS via WS messages |
| Command Injection | injection.py |
OS command injection through WS payloads |
| NoSQL Injection | injection.py |
MongoDB/CouchDB operator injection |
| Prototype Pollution | injection.py |
JavaScript prototype chain manipulation |
| Test | Module | Description |
|---|---|---|
| SSRF | ssrf.py |
Server-side request forgery with 8 target categories (AWS, GCP, Azure, K8s, localhost, file://, protocols, encoded) |
| SSTI | ssti.py |
Server-side template injection (Jinja2, Twig, Freemarker, Spring) |
| XXE (via payloads) | Custom Payloads | XML external entity injection payloads |
| Test | Module | Description |
|---|---|---|
| WebSocket Smuggling | smuggling.py |
HTTP/WS upgrade smuggling & protocol confusion |
| Protocol Downgrade | smuggling.py |
Detect if wss:// allows unencrypted ws:// connections |
| GraphQL-over-WS | graphql_ws.py |
Introspection, batch queries, subscription abuse via WS |
| Subprotocol Attacks | subprotocol.py |
Protocol negotiation manipulation & downgrade |
| Encryption Check | network.py |
Detect unencrypted ws:// connections |
| Information Disclosure | network.py |
Detect leaked server internals, stack traces, debug info |
| IDOR | network.py |
Insecure direct object reference via sequential IDs |
| Test | Module | Description |
|---|---|---|
| Timing Side Channels | timing.py |
User enumeration & data extraction via response timing |
| Race Conditions (Turbo) | turbo_intruder.py |
Concurrent request exploitation (double-spend, TOCTOU) |
| Burst Tests | turbo_intruder.py |
High-speed concurrent message delivery |
| OTP Brute-Force | turbo_intruder.py |
High-speed 4-6 digit token cracking |
| Test | Module | Description |
|---|---|---|
| AI-Powered Fuzzer | ai_fuzzer.py |
Claude-generated context-aware zero-day hunting |
| Payload Fuzzing | fuzzer.py |
Oversized payloads, malformed JSON, null bytes, type confusion |
| Mass Assignment | mass_assignment.py |
Unauthorized field modification (role escalation, price tampering) |
| Business Logic | business_logic.py |
Workflow abuse, negative quantities, state manipulation |
ws_pro/
βββ .github/
β βββ workflows/
β βββ ws-security.yml # CI/CD pipeline
βββ attacks/ # 14 Attack Modules
β βββ __init__.py # Module registry
β βββ ai_fuzzer.py # AI-Powered Dynamic Fuzzer (Claude)
β βββ auth.py # JWT attacks, CSWSH, auth bypass
β βββ business_logic.py # Business logic & workflow abuse
β βββ fuzzer.py # WebSocket fuzzer (DoS, boundary, types)
β βββ graphql_ws.py # GraphQL-over-WebSocket attacks
β βββ injection.py # SQLi, XSS, CMDi, NoSQL, Prototype Pollution
β βββ mass_assignment.py # Mass-assignment exploitation
β βββ network.py # Encryption, info disclosure, GraphQL, IDOR
β βββ race_condition.py # Concurrency / race-condition tests
β βββ smuggling.py # WebSocket smuggling & upgrade attacks
β βββ ssrf.py # SSRF with 8 target categories
β βββ ssti.py # Server-side template injection
β βββ subprotocol.py # Subprotocol negotiation attacks
β βββ timing.py # Timing side channels & enumeration
β βββ turbo_intruder.py # Turbo Intruder (Burst/Race/OTP)
β βββ waf_bypass.py # WAF Bypass Engine (10 evasion tech)
βββ core/
β βββ auth_profile.py # Authentication profile management
β βββ cve_db.json # CVE database for known vulnerabilities
β βββ cve_matcher.py # CVE fingerprint matching engine
β βββ findings.py # Thread-safe findings store, CVSS scoring
β βββ oob_profile.py # OOB (Out-of-Band) proof profile
β βββ scanner.py # Endpoint discovery, fingerprinting, helpers
β βββ schema_builder.py # Live WS traffic Schema Builder
β βββ validation.py # Response validation & confidence scoring engine
β βββ ws_proxy.py # Real WebSocket MITM proxy (bridge + hold + replay)
βββ config/
β βββ validation.json # Validation rules & thresholds
β βββ validation_config_README.md # Validation configuration guide
βββ dashboard/
β βββ app.py # Flask + Socket.IO server
β βββ templates/
β β βββ index.html # Dashboard UI (GPU-smooth animations)
β βββ static/
β βββ css/app.css # Styling (dark/light themes, 120Hz smooth)
β βββ js/
β βββ proxy.js # Live Interceptor, rewriting rules, and Proxy UI
β βββ scanner.js # Core scanning logic, Vulnerability UI, and Attacks
βββ docs/
β βββ screenshots/ # Documentation screenshots
βββ logs/ # Runtime logs (auto-created)
βββ profiles/
β βββ bug_bounty.json # Bug bounty scan profile
β βββ ci_cd.json # CI/CD pipeline scan profile
β βββ deep_audit.json # Deep audit scan profile
β βββ jwt_focus.json # JWT-focused scan profile
βββ reports/
β βββ generator.py # HTML report generator
β βββ pdf_generator.py # OWASP-format PDF report generator
β βββ sarif_generator.py # SARIF v2.1.0 for CI/CD integration
βββ tests/
β βββ test_attacks.py # Attack module unit tests
β βββ test_core.py # Core module unit tests
β βββ test_integration.py # Integration tests
βββ utils/
β βββ diff_engine.py # Response diff engine for bypass detection & validation
β βββ evidence.py # Evidence data collector
β βββ logger.py # File + console logging
β βββ payload_store.py # Custom payload storage & management
βββ main.py # CLI entry point (argparse)
βββ mock_server.py # Vulnerable Lab Server (20+ scenarios)
βββ oob_server.py # OOB callback server for blind SSRF/XXE
βββ MOCK_SERVER_README.md # Vulnerable Lab Server documentation
βββ Dockerfile # Docker image build
βββ docker-compose.yml # Multi-service orchestration
βββ requirements.txt # Python dependencies
βββ CONTRIBUTING.md # Contribution guide
βββ LICENSE # AGPL v3
βββ README.md # This file
- Python 3.9+ β Download Python
- pip β Comes bundled with Python
- A modern browser (Chrome, Firefox, Edge)
# 1. Clone the project
git clone https://github.com/palnirupam/ws_pro.git
cd ws_pro
# 2. Create virtual environment
python -m venv venv
venv\Scripts\activate
# 3. Install WeasyPrint dependencies for PDF generation (REQUIRED for PDF export)
# Download and install GTK3 Runtime:
# https://github.com/tschoonj/GTK-for-Windows-Runtime-Environment-Installer/releases/latest
#
# Steps:
# - Click on "gtk3-runtime-x.x.x-x-x-x-ts-win64.exe" to download
# - Run the installer (requires admin rights)
# - Use default installation path: C:\Program Files\GTK3-Runtime Win64
# - Restart your terminal after installation
#
# β οΈ Without GTK+: HTML/JSON reports work, but PDF export will fail
# 4. Install Python dependencies
pip install -r requirements.txt
# 5. (Optional) Configure environment
copy .env.example .env
# 6. Start the dashboard
python main.pyOpen your browser β http://localhost:5000
Important: WeasyPrint (our PDF rendering engine) requires GTK+ libraries on Windows for PDF generation. If you skip GTK+ installation, you can still use HTML, JSON, and SARIF export formats. WeasyPrint provides 5-10x faster PDF generation compared to the previous Playwright-based implementation.
# 1. Clone the project
git clone https://github.com/palnirupam/ws_pro.git
cd ws_pro
# 2. Create virtual environment
python3 -m venv venv
source venv/bin/activate
# 3. Install WeasyPrint dependencies for PDF generation (one-time setup)
brew install pango cairo gdk-pixbuf libffi
# 4. Install dependencies
pip install -r requirements.txt
# 5. (Optional) Configure environment
cp .env.example .env
# 6. Start the dashboard
python3 main.pyOpen your browser β http://localhost:5000
# 1. Install Python if needed
sudo apt update && sudo apt install python3 python3-pip python3-venv -y
# 2. Install WeasyPrint dependencies for PDF generation (one-time setup)
sudo apt-get install libpango-1.0-0 libpangocairo-1.0-0 libgdk-pixbuf2.0-0 libffi-dev -y
# 3. Clone the project
git clone https://github.com/palnirupam/ws_pro.git
cd ws_pro
# 4. Create virtual environment
python3 -m venv venv
source venv/bin/activate
# 5. Install dependencies
pip install -r requirements.txt
# 6. (Optional) Configure environment
cp .env.example .env
# 7. Start the dashboard
python3 main.pyOpen your browser β http://localhost:5000
WS Tester Pro uses WeasyPrint for PDF report generation, delivering professional OWASP-format reports with exceptional performance:
| Report Size | Generation Time | Previous (Playwright) | Improvement |
|---|---|---|---|
| 1 finding | < 500ms | ~5 seconds | 10x faster |
| 10 findings | < 800ms | ~6 seconds | 7.5x faster |
| 50 findings | < 1 second | ~8 seconds | 8x faster |
| 100 findings | < 2 seconds | ~10 seconds | 5x faster |
- No Browser Overhead: Direct HTML-to-PDF rendering without launching Chromium
- Identical Visual Output: Maintains the same professional OWASP format and styling
- Lower Resource Usage: Reduced memory and CPU consumption
- Faster CI/CD Pipelines: Significantly faster report generation in automated workflows
Upgrading from Playwright-based PDF generation?
- β No code changes required β PDF export button works exactly as before
- β Visual output is identical β Same professional OWASP format reports
- β Playwright no longer needed β You can remove
playwrightfrom your environment- β 5-10x performance improvement β Reports generate in under 2 seconds
β οΈ WeasyPrint dependencies required β See platform-specific installation instructions above
# Start all services with Docker Compose
docker-compose up -d
# View logs
docker-compose logs -f
# Access dashboard at http://localhost:5000Using Makefile (easier):
make up # Start production services
make logs # View logs
make health # Check service health
make down # Stop servicesSee Docker Documentation for complete guide.
# Deploy to Kubernetes cluster
cd k8s
./deploy.sh production # Linux/macOS
.\deploy.ps1 production # Windows
# Or manually
kubectl apply -f namespace.yaml
kubectl apply -f secret.yaml
kubectl apply -f configmap.yaml
kubectl apply -f rbac.yaml
kubectl apply -f pvc.yaml
kubectl apply -f service.yaml
kubectl apply -f deployment.yaml
kubectl apply -f ingress.yaml
kubectl apply -f hpa.yaml
# Check deployment status
kubectl get pods -n ws-tester-pro
kubectl get svc -n ws-tester-pro
kubectl get ingress -n ws-tester-proSee Kubernetes Deployment Guide for complete guide.
# Windows
python main.py
# macOS / Linux
python3 main.pyYou'll see:
ββββββββββββββββββββββββββββββββββββββββ
β WS Tester Pro β Dashboard β
β http://localhost:5000 β
ββββββββββββββββββββββββββββββββββββββββ
# Basic scan
python main.py --target https://example.com
# Fast scan with JSON output
python main.py --target wss://example.com/ws --fast --output report.json
# SARIF output for CI/CD
python main.py --target https://example.com --output report.sarif --format sarif
# Authenticated scans
python main.py --target https://app.com --username admin --password pass123
python main.py --target https://app.com --token eyJhbGci...
python main.py --target https://app.com --cookie "session=abc123; csrf=xyz"
# Start dashboard from CLI (Default behavior)
python main.pyMost real WebSockets are behind login. Use the π Authentication card in the sidebar:
| Method | Description |
|---|---|
| Username + Password | Auto-login and extract JWT token/cookies |
| Bearer Token | Attach Authorization: Bearer ... to every WS connect |
| Session Cookie | Attach Cookie: ... to every WS connect |
| Custom Headers | Attach arbitrary headers (one per line: Name: Value) |
Use π§ͺ Test Auth to validate credentials before scanning (10s timeout).
The π Custom Payloads panel provides an advanced payload management system:
| Library | Payloads | Description |
|---|---|---|
| π SQLi | 25 | Union, blind, time-based, error-based, stacked queries |
| π₯ XSS | 20 | Reflected, stored, DOM, polyglot, filter bypass |
| π SSTI | 18 | Jinja2, Twig, Freemarker, Spring, EL injection |
| π SSRF | 15 | AWS/GCP/Azure metadata, localhost, gopher, file:// |
| π» Command Injection | 15 | Bash, PowerShell, backtick, $() substitution |
| π NoSQL Injection | 12 | MongoDB $gt, $ne, $regex, $where operators |
| π XXE | 10 | External entity, billion laughs, OOB exfiltration |
| π Path Traversal | 12 | ../, encoded, null byte, double-URL-encoded |
| 𧨠Fuzzing | 20 | Null bytes, prototype pollution, boundary values, NaN |
- π€ Upload File β Load
.txt,.csv,.lst,.jsonpayload files (multi-file support) - π±οΈ Drag & Drop β Drop files directly onto the textarea with animated glow effect
- π Deduplicate β Automatically sanitize custom wordlists by removing identical entries to optimize scan times and prevent redundant requests.
- π€ Sort β Alphabetically organize large custom payload files for improved readability and easier manual review.
- β Merge Mode β Combine your custom payloads with built-in checks for maximum coverage (ON), or run them exclusively for stealthy, targeted testing (OFF).
- π’ Count Badge β Live payload count shown on section header
- π Scan Integration β Custom payloads + template sent to backend during scans
| Shortcut | Action |
|---|---|
Ctrl+Enter |
Start scan |
Escape |
Stop scan |
Ctrl+Shift+T |
Toggle dark/light theme |
Ctrl+Shift+S |
Save current session |
Ctrl+Shift+E |
Export findings as JSON |
Alt+1 to Alt+7 |
Switch between tabs |
| Tab | Description |
|---|---|
| π Findings | Real-time vulnerability feed with severity filtering & sorting |
| π― Bug Bounty | One-click HackerOne/Bugcrowd-ready markdown reports |
| π‘ Live Log | Color-coded real-time scan activity log |
| π΅οΈ Interceptor | WebSocket MITM proxy with capture/hold/forward/drop/replay |
| π Diff Tool | Manual & Auto-Diff for authorization bypass detection |
| π€ AI Analysis | Claude-powered attack chain analysis & AI Dynamic Fuzzer |
| β‘ Intruder | High-speed message sender for race conditions, burst tests, and OTP brute-force |
| π Schema | Auto-capture live WebSocket traffic, infer data models, and export API schemas |
| π History | Save, load, compare, and delete scan sessions |
- Run a comprehensive scan on your target WebSocket endpoint
- Switch to the π― Bug Bounty tab
- Review discovered vulnerabilities
- Click π Copy next to any finding β generates a professional markdown report:
- Vulnerability Name & Severity
- CVSS Score and Vector
- Target URL & Exact Endpoint
- Detailed Description & Impact
- Step-by-Step Reproduction
- Evidence/Payloads
- Remediation Advice
- Paste directly into HackerOne, Bugcrowd, or YesWeHack
WS Tester Pro includes a real WebSocket MITM proxy:
Client/App β ws://localhost:<PORT> β [WS Tester Pro Proxy] β <TARGET_WS_URL>
- Open the Interceptor tab
- Set Target WS URL (e.g.
wss://example.com/ws) - Set Local Port (default:
8080) - Optionally enable Intercept Mode for manual hold/forward
- Click Start Proxy
- Point your app to
ws://localhost:<PORT>
| Action | Description |
|---|---|
| Capture | All messages logged with time, direction, size, and flags |
| Search/Filter | Narrow traffic by keyword, direction, or session |
| Hold | Intercept Mode pauses messages for inspection |
| Forward | Send held message as-is |
| Modify & Forward | Edit payload before forwarding |
| Drop | Discard message (not forwarded) |
| Edit & Replay | Open captured message in Repeater Modal β edit payload, choose direction (Server/Client), and send |
| Export | Download all captured traffic as JSON |
| Feature | Description |
|---|---|
| ποΈ Auto-Drop Rules | Silently filter noise (heartbeats, telemetry, pings) using regex patterns β dropped messages never reach the target or clutter the feed |
| π Match & Replace | On-the-fly regex rewriting of live payloads in either direction (C2S / S2C / Both) without pausing traffic |
| π Repeater Modal | Burp-style Edit & Replay popup β modify any captured payload and re-send it to the server or client with one click |
| β Breakpoints | Regex-based rules to auto-hold specific messages matching a pattern for manual inspection |
| π Auto-Forward | Regex rules to automatically forward matching messages without manual intervention |
- Open Diff Tool tab
- Paste unauthenticated response into Response A
- Paste authenticated response into Response B
- Click π Compare
- Enter target URL in sidebar
- Click π Auto-Diff (connect with/without auth)
- Tool automatically connects with & without auth, captures responses, and flags bypass
Example bypass detection:
π CRITICAL β Authorization Bypass Detected
Sensitive fields: admin_panel, api_key, balance, email, role, session, token
+ admin_panel: "/admin/dashboard"
+ api_key: "sk-live-4f3a8b2c..."
+ balance: 9999
+ role: "admin"
To enable AI-powered analysis using Anthropic Claude:
- Get an API key from console.anthropic.com
- Option A: Add to
.envfile:ANTHROPIC_API_KEY=sk-ant-api03-... - Option B: In the dashboard sidebar, paste your key in π AI API Key and click πΎ Save Key
- Enable π€ AI analysis checkbox before scanning
AI analysis provides:
- Executive summary of all findings
- Top 3 critical risks with business impact
- Attack chain analysis (how vulnerabilities combine)
- Prioritized remediation roadmap
Keys from
.envpersist across restarts. Dashboard keys are session-only.
| Option | Description |
|---|---|
| π€ AI Analysis | Claude-powered attack chain analysis |
| π Browser Discovery | Headless browser to find hidden WS endpoints |
| π JWT Attacks | 7 types of JWT vulnerabilities |
| β± Timing Attacks | Timing-based side channels & enumeration |
| 𧨠Fuzzer | Malformed/boundary payloads for crash detection |
| ποΈ Race Conditions | Concurrent request exploitation |
| π SSRF | Server-side request forgery with 8 target categories |
| π SSTI | Server-side template injection |
| π¦ Mass Assignment | Unauthorized field modification |
| π§ Business Logic | Workflow abuse & state manipulation |
| π Smuggling | WebSocket upgrade & HTTP smuggling |
| π‘ GraphQL-WS | GraphQL-over-WebSocket attacks |
| β‘ Fast Mode | Skip deep tests for quicker results |
| Test | Description |
|---|---|
| Encryption | Detect unencrypted ws:// connections |
| Injection | SQLi, XSS, CMDi, NoSQL, Prototype Pollution |
| WAF Evasion | Automatically run injection payloads through the WAF Bypass Engine |
| Blind Attacks (OOB) | Detect zero-output vulnerabilities using Out-of-Band DNS/HTTP callbacks |
| CSWSH | Cross-Site WebSocket Hijacking |
| Rate Limiting | Verify rate limit enforcement |
| Message Size | Test oversized payload handling |
| Info Disclosure | Detect leaked server internals |
| GraphQL | Introspection & batch query abuse |
| IDOR | Insecure direct object reference |
| Subprotocol | Protocol negotiation attacks |
| Auth Bypass | Unauthenticated access to protected endpoints |
| Category | Targets |
|---|---|
| βοΈ Cloud | AWS, GCP, Azure metadata endpoints |
| π Localhost | 127.0.0.1, 0.0.0.0, IPv6 loopback |
| π File | file:///etc/passwd, Windows paths |
| π Protocols | gopher://, dict://, ftp:// |
| βοΈ Azure | Azure IMDS & management endpoints |
| π³ K8s/Docker | Kubernetes API, Docker socket |
| π Elastic | Elasticsearch internal API |
| π’ Encoded | URL-encoded, double-encoded, hex/octal |
| Level | Threads | Use Case |
|---|---|---|
| Safe | 3 | Production testing (minimal load) |
| Normal | 5 | Standard penetration testing |
| Aggressive | 10 | Lab/CTF environments |
Copy .env.example to .env and configure:
# Flask secret key (auto-generated if not set)
WS_SECRET_KEY=your-secret-key-here
# Anthropic API key for AI analysis
ANTHROPIC_API_KEY=sk-ant-api03-your-key-here
# CORS allowed origins (comma-separated, default: * for all)
WS_CORS_ORIGINS=http://localhost:5000,http://localhost:3000| Format | Use Case |
|---|---|
| Professional OWASP-format reports for clients | |
| HTML | Standalone viewable report in any browser |
| JSON | Machine-readable, import/export between sessions |
| SARIF | CI/CD integration (GitHub Actions, Azure DevOps) |
WS Tester Pro features a dedicated, state-of-the-art Web Application Firewall (WAF) Evasion Engine that systematically obfuscates malicious payloads to bypass modern edge-protection systems like Cloudflare, AWS WAF, and Akamai.
10 Advanced Encoding Techniques Supported:
- URL Encoding & Double URL Encoding
- Unicode Escaping (
\u003c) - Hex Escaping (
\x3c) - HTML Entity Obfuscation (
<,<) - Keyword Case Mixing (
SeLeCt) - Null-Byte Injection (
<scr%00ipt>) - Full-Width Unicode (
οΌscriptοΌ) - Comment Insertion (
SEL/**/ECT) - Tab & Newline Fragmentation
Select a WAF Profile (Generic, Cloudflare, AWS, Akamai) from the dashboard to optimize the technique priority order for the highest probability of evasion.
Blind vulnerabilities (where the server returns no explicit error message or data) are notoriously difficult to detect via WebSockets. The OOB Proof System automates the detection of Blind SSRF, Blind SQLi, Blind Command Injection, and XML External Entities (XXE).
Powered by the popular Interactsh project (oast.fun).
- Generates unique polling domains automatically for every payload.
- Asynchronously polls for DNS, HTTP, and SMTP interactions.
- Provides immediate, deterministic proof of vulnerability (Zero Configuration required).
For restricted networks or strictly governed red team engagements, use your own privately hosted notification server.
# Start your private server natively
export OOB_API_KEY="super-secret-key"
python3 oob_server.pyAuto-Confirm in Dashboard / CLI: Configure your callback URL and API key to have WS Tester Pro automatically verify callbacks across millions of packets in real-time.
python main.py --target wss://example.com/ws --oob https://proxy.redteam.xyz --oob-key super-secret-key# Start Dashboard + OOB server
docker compose up -d --build
# View logs
docker compose logs -f
# Stop
docker compose down- Dashboard:
http://localhost:5000 - OOB health:
http://localhost:7000/health
Production notes:
- Use HTTPS via reverse proxy (Nginx/Caddy/Traefik)
- Keep
OOB_API_KEYsecret - Set
WS_CORS_ORIGINSto your domain in production - For correct client IPs behind proxy:
OOB_TRUST_PROXY=1
- Discovery: Inspect target app's Network tab β filter "WS" β find
wss://api.target.com/v1/chat - Initial Scan: Paste URL β select Fast Mode β Start Scan
- Load Payloads: Open Custom Payloads β load SQLi + XSS libraries β re-scan for deeper injection testing
- Deep Analysis: Disable Fast Mode β enable JWT, SSRF, SSTI modules β full scan
- Traffic Interception: Switch to Interceptor β configure proxy β capture & modify live traffic
- AI Analysis: Enable AI β get attack chain analysis & prioritized remediation roadmap
- Reporting: Bug Bounty tab β Copy markdown β paste into HackerOne. Download PDF for client report.
# Run unit tests
pytest tests/ -v
# Run validation system tests
pytest tests/test_validation_properties.py -v
pytest tests/test_confidence_scoring.py -v
# Test with Vulnerable Lab Server
python mock_server.py # Terminal 1
python main.py --target ws://localhost:8765 # Terminal 2- Terminal 1:
python mock_server.py(WS:ws://localhost:8765) - Terminal 2:
python main.py(Dashboard:http://localhost:5000) - Open
http://localhost:5000β Target:ws://localhost:8765β Start Scan
The Vulnerable Lab Server implements 20+ vulnerability types with realistic responses for testing the validation system. See MOCK_SERVER_README.md for complete documentation including:
- All vulnerability scenarios
- Test credentials
- Authentication testing
- WAF bypass scenarios
- OOB testing support
- WebSocket:
ws://localhost:8765 - HTTP Login:
http://localhost:8766/api/login
Test users:
| Username | Password | Role |
|---|---|---|
admin |
admin123 |
Admin |
alice |
alice123 |
User |
bob |
bob123 |
User |
test |
test |
Tester |
- Start mock server β Start dashboard β Open Interceptor tab
- Target:
ws://localhost:8765, Port:8080, Intercept: OFF - Click Start Proxy β Click π§ͺ Quick Test
- Target:
ws://localhost:8765β Intruder tab - Burst Test: Payload
{"action":"transfer","amount":100}β Count30β Launch Attack - OTP Brute-Force: Template
{"action":"verify_otp","otp":"{{OTP}}"}β Digits4β Launch - Mock server correct OTP:
1337β scanner detects no rate limiting (HIGH finding)
netstat -ano | findstr ":5000"
netstat -ano | findstr ":8080"
taskkill /PID <PID> /FThis project uses pre-commit hooks to maintain code quality and consistency. The hooks automatically run before each commit to:
- Format code with Black
- Sort imports with isort
- Lint with flake8
- Type check with mypy
- Scan for security issues with bandit
- Validate docstrings with pydocstyle
Setup pre-commit hooks:
# Install pre-commit
pip install pre-commit
# Install git hooks
pre-commit install
# Run hooks manually on all files
pre-commit run --all-filesFor detailed information about the configured hooks and how to use them, see Pre-Commit Hooks Documentation.
- Open
ws_profolder in VS Code - Open terminal (
Ctrl + ~) - Run:
pip install -r requirements.txt python main.py
Ctrl+Clickthe URLhttp://localhost:5000to open in browser
This tool is intended for educational purposes and authorized security testing only.
The developers and contributors of WS Tester Pro assume no liability and are not responsible for any misuse or damage caused by this program. It is the end user's absolute responsibility to obey all applicable local, state, and federal laws.
You may ONLY use this tool on systems, networks, and applications that you own, or for which you have explicit, written permission from the owner to conduct security assessments. Unauthorized scanning of systems or exploiting vulnerabilities without consent is illegal and may result in severe civil and criminal penalties.
By using this tool, you agree that you are using it at your own risk and that the creators will not be held accountable for your actions.
Proprietary License β All Rights Reserved.
This software is the private intellectual property of the author. Unauthorized copying, distribution, or modification is strictly prohibited. See the LICENSE file for details.
Built with β€οΈ for the security community
Star β the project if you find it useful!