README
¶
Vulnerable WebSocket Server - Educational Demo
⚠️ WARNING: This server is INTENTIONALLY VULNERABLE ⚠️
This code demonstrates the OpenClaw WebSocket localhost takeover vulnerability discovered by Oasis Security. It is designed for EDUCATIONAL PURPOSES ONLY.
Purpose
This server mimics the vulnerable behavior of OpenClaw to help security professionals understand:
- How WebSocket connections from browsers can reach localhost services
- Why rate limiting must apply to localhost connections
- Why device pairing should require explicit user confirmation
Vulnerabilities Demonstrated
| Vulnerability | Description | Secure Alternative |
|---|---|---|
| No rate limiting | Unlimited password attempts from localhost | Implement rate limiting for ALL sources |
| Auto-approve pairing | Device registration auto-approved from localhost | Require user confirmation via UI |
| No origin validation | WebSocket accepts any origin | Validate Origin header |
Running the Server
# Default settings (port 9999, password "demo123")
go run main.go
# Custom settings
go run main.go -port 8888 -password "mypassword"
WebSocket Protocol
Connect
ws://localhost:9999/ws
Authentication
{"type": "auth", "payload": {"password": "demo123"}}
Response:
{"type": "auth", "success": true, "data": {"sessionId": "session-xxx"}}
Device Registration
{"type": "register", "payload": {"deviceName": "Attacker Device"}}
Commands
{"type": "command", "payload": {"command": "search", "args": "API keys"}}
{"type": "getConfig"}
{"type": "getLogs"}
{"type": "getDevices"}
Attack Flow
- Victim visits malicious website
- Website's JavaScript opens WebSocket to
localhost:9999 - JavaScript brute-forces password (no rate limiting)
- JavaScript registers as trusted device (auto-approved)
- JavaScript exfiltrates config, logs, and device list
DO NOT
- Run this in production
- Expose this to untrusted networks
- Use this code as a template for real applications
- Deploy this anywhere outside of a controlled lab environment
References
Documentation
¶
Overview ¶
Vulnerable WebSocket Server - Educational Demo
⚠️ WARNING: This server is INTENTIONALLY VULNERABLE ⚠️
This code demonstrates the OpenClaw WebSocket localhost takeover vulnerability. It is designed for EDUCATIONAL PURPOSES ONLY to help security professionals understand the attack vector.
DO NOT: - Run this in production - Expose this to untrusted networks - Use this code as a template for real applications
The vulnerabilities demonstrated: 1. No rate limiting on password attempts from localhost 2. Auto-approve device pairing from localhost connections 3. WebSocket accepts connections without origin validation
Run: go run main.go The server will listen on localhost:9999
Source Files