ZeroTrace OSINT
WebSocket Inspector
Probe a WebSocket endpoint — handshake status, accepted subprotocols, extensions, and a single-frame echo test.
The WebSocket inspector connects to a ws:// or wss:// endpoint, performs the upgrade handshake, and reports what the server accepted. Optionally it sends a single test frame and reports the response.
WebSockets are how modern web apps push real-time data — chat, trading interfaces, live notifications, collaborative editing. From an investigation standpoint, knowing whether and how a site exposes WebSocket endpoints tells you which capabilities the site offers without you needing to log in.
What you get
| Field | What it tells you |
|---|---|
| Handshake status | The HTTP status the server returned to the upgrade request (101 = success) |
| Accepted Sec-WebSocket-Accept | The server's accept-key response, validated against the client's offered key |
| Subprotocols offered / accepted | The application protocols (Sec-WebSocket-Protocol) the server agreed to |
| Extensions | Compression and other extensions (permessage-deflate parameters) |
| Server header | The server software, when announced |
TLS info (for wss://) | Auto-composed TLS inspector result for the underlying TLS connection |
| Origin-bypass test | Optional: connect with the Origin header omitted to see whether the server accepts off-origin clients |
| Echo frame test | Optional: send a single text frame, capture the response (or the close-code if the server rejects) |
Why probe WebSocket endpoints
A few investigative scenarios:
- Mapping app capabilities. A
/api/notificationsWebSocket suggests real-time notifications. A/ws/tradingendpoint suggests a live-data feed. Knowing what is exposed tells you what the app does. - Origin checks for CSWSH (cross-site WebSocket hijacking). A WebSocket that accepts cross-origin connections without authentication is a classic finding. The Origin-bypass test surfaces this directly.
- Detection evasion. Some sites deliberately advertise WebSocket endpoints they do not actually serve. The handshake response is the truth.
Subprotocol negotiation
The client offers a list of subprotocols (Sec-WebSocket-Protocol); the server picks one or none. Subprotocols often advertise the application:
mqtt— MQTT messaging.graphql-ws— GraphQL over WebSocket.ocpp1.6— Open Charge Point Protocol (EV charging stations).- Custom strings — application-specific protocols.
A surprising number of WebSocket endpoints accept any subprotocol the client offers, which is a misconfiguration but useful for fingerprinting.
Extension parameters
Sec-WebSocket-Extensions carries compression and other extensions. The most common is permessage-deflate, often with parameters that encode the server's compression configuration. The tool parses and surfaces:
client_max_window_bits/server_max_window_bits.client_no_context_takeover/server_no_context_takeover.
Useful for performance tuning and, occasionally, for fingerprinting the server stack.
Origin bypass test
A toggle re-runs the handshake without the Origin header. If the server still accepts the connection, the WebSocket may be vulnerable to cross-site hijacking — an attacker page can open the WebSocket on the user's behalf and impersonate them.
The origin-bypass test is a probe, not an exploit. It only checks whether the handshake succeeds. Confirming exploitability requires authorised testing of the application's authentication semantics. Never assume a passing handshake means an exploitable endpoint without further verification.
Echo frame test
A toggle sends a single text frame ({"ping":1} by default; configurable) and waits for a response. The tool surfaces:
- Whether the server responded.
- Whether the server immediately closed the connection (with the close code).
- The first response frame's payload (truncated to a sensible size).
For applications with simple echo or ping-pong protocols, this confirms the endpoint is alive end-to-end.
Pivots
| Click on... | Pivot to |
|---|---|
| The WebSocket URL | URL parser, site analysis on the host |
| The host | DNS, WHOIS, TLS inspector, site analysis |
| Subprotocol | (no pivot — informational) |
Sources
- Direct WebSocket handshake against the target endpoint.
- TLS handshake against the underlying TLS connection (for
wss://).
No external API is queried for this tool.