Introduction to WebSocket Vulnerabilities

First of all, let’s try to understand what WebSockets are and how they are used in modern web applications, which establish long-time connections. Along with this, vulnerabilities also arise in WebSockets. Therefore, in this article, we will cover Manipulating WebSocket messages to exploit vulnerabilities lab from PortSwigger Web Security, completely practical and step by step.

Articles Based on WebSocket Vulnerabilities

Manipulating WebSocket messages to exploit vulnerabilities
Manipulating the WebSocket handshake to exploit vulnerabilities
Cross-site WebSocket hijacking

1st Lab Description

In this lab, we have a live chat feature that utilizes WebSockets. The chat messages you submit can be viewed by a support agent in real-time. To solve this lab, you need to trigger the alert() function through a WebSocket message and display the XSS vulnerability popup.

Lab Solution

First, access the lab. After accessing it, you will see an option named “Live Chat” in the menu. Click on the “Live Chat” option. Remember to enable your Burp Suite proxy during this process so that you can analyze the HTTP history.

Submit some random texts in the live chat. Now, go to Burp Suite and enable the intercept feature.

After enabling intercept, send any text in the chat and intercept the request.

<img src=1 onerror='alert(1)'>

In the intercepted request, insert the payload for Cross-Site Scripting. Now, forward this request.

After forwarding the request, you will see the XSS popup.

So, we have successfully solved the PortSwigger Web Security lab, “Manipulating WebSocket messages to exploit vulnerabilities.”

You can learn everything related to web security on our website. We upload the latest articles on web security topics on a daily basis, so stay with us.