by Claudemir Todo Bom - 2024-Feb-20
Basically it connects to the websocket without any credential join the notifications channel and display all messages received
for this exploit to work server must have an userId with number 1, but it can be change do any number that exists on the server.
USE IT ONLY TO CHECK YOUR SERVER OR THE SERVER YOU HAVE AUTHORIZATION TO CHECK. I AM NOT RESPONSIBLE FOR WHAT YOU DO WITH THIS TOOL.
You will need nodejs installed on your computer.
Having it, just go open a terminal and navigate to the folder where this exploit is. First you need to load the dependencies of the script:
npm installAfter this you can run it:
npm startIt will ask the URL of the backend. It must start with wss://
or ws://, after clicking on "Analize" it will connect to the
websocket and start analysing it. If the server is vulnerable you
will see the messages going through it in realtime.