Manipulating the WebSocket handshake to exploit vulnerabilities

Description

This online shop has a live chat feature implemented using WebSockets. It has an aggressive but flawed XSS filter.

Reproduction and proof of concept

  1. Click Live chat and send a chat message.

  2. In Burp Proxy, go to the WebSockets history tab, and observe that the chat message has been sent via a WebSocket message.

  3. Right-click on the message and select “Send to Repeater”.

  4. Edit and resend the message containing a basic XSS payload, such as:

<img src=1 onerror='alert(1)'>

  1. Observe that the attack has been blocked, and that your WebSocket connection has been terminated.

Websockets

  1. Click Reconnect, and observe that the connection attempt fails because your IP address has been banned.

  2. Add the X-Forwarded-For header to the handshake request to spoof the IP address:

X-Forwarded-For: 1.1.1.1

Websockets

  1. Click “Connect” to successfully reconnect the WebSocket.

  2. Send a WebSocket message containing an obfuscated XSS payload, such as:

<img src=1 oNeRrOr=alert`1`>

Websockets

Exploitability

An attacker will need to use a WebSocket message to trigger an alert() popup in the support agent’s browser.