Vulnerable Websocket Server

In this article, we will talk about some websocket vulnerabilities. To test for security vulnerabilities, it is necessary to install the repo in the github (https://github.com/Serhatcck/vulnsocket).

After installation we see it on the login page.

Vulnsocket Login Page

We must create a user before login.

Vulnsocket Register Page

After registration we are redirected to index.php. We see two different vulnerabilities on this page.

Vulnsocket Index Page

CSWSH

Vulnsocket CSWSH Page

On this page we see a simple messaging application. And we’re booting the WebSocket server with python.

CSWSH Socket Server

When we refresh the page, we see that the connection status has changed.

Vulnsocket CSWSH Page

And we start messaging.

Vulnsocket CSWSH Page

We can see the websocket connection request on Burp Suite

Burp Suite Web Socket Request

And we can see websocket messages.

Burp Suite Web Socket Messages

We can’t see any csrf token information in the websocket connection request we see in the picture above. That’s why we’re starting to try the Cross Site Websocket Hijacking vulnerability.

In order to exploit the Cross Site Websocket Hijacking vulnerability, it is necessary to create an HTML/JS poc. This HTML page should send a connection request to the websocket server and be able to pull profile information. After pulling the profile information, it should send the profile information to Burp Collaborator.

We need to test whether the above HTML page works. That’s why we visit this page.

Vulnsocket Exploit Page

Burp Suite Collaborator Client:

As we can see in the picture above, the page worked successfully. Now we need to run this page in the admin user. And for this we need to run cswsh_exploit.py

cswsh_exploit.py

After the Python code runs, we will see that the admin user’s information is dropped into Collaborator:

Collaborator Client

After seeing the admin user’s information, what we need to do is to change the admin user’s password.

cswsh_exploit.py

After the Python code runs, we will see that the admin user’s password information is dropped into Collaborator:

Collaborator Client

And we will login with the admin user’s information (admin@admin.com:admin)

Vulnsocket Index Page

How to prevent CSWSH?

In order to understand how the vulnerability was prevented, it is necessary to examine the cswsh_secure.php page. On this page, the Websocket connection request is sent as follows:

Websocket Connection Request

This token value is user specific and disposable.

cswsh_secure.php

socket_cswsh_secure.py

Since we do not know the token value of the admin user, this CSWSH vulnerability is eliminated.