Cross Site Web Socket Hijacking (101)

What is Web Socket Api.

WebSocket API is an advanced technology that makes it possible to open a two-way interactive communication session between the user’s browser and a server. With this API, you can send messages to a server and receive event-driven responses without having to poll the server for a reply.ite WebSocket hijacking?

Cross-site WebSocket hijacking.

Cross-site WebSocket hijacking (also known as cross-origin WebSocket hijacking) involves a cross-site request forgery (CSRF) vulnerability on a WebSocket handshake. It arises when the WebSocket handshake request relies solely on HTTP cookies for session handling and does not contain any CSRF tokens or other unpredictable values.

An attacker can create a malicious web page on their own domain which establishes a cross-site WebSocket connection to the vulnerable application. The application will handle the connection in the context of the victim user’s session with the application.

The attacker’s page can then send arbitrary messages to the server via the connection and read the contents of messages that are received back from the server. This means that, unlike regular CSRF, the attacker gains two-way interaction with the compromised application.

A basic overview for CSWSH.

What is the impact of cross-site WebSocket hijacking?

A successful cross-site WebSocket hijacking attack will often enable an attacker to:

• Perform unauthorized actions masquerading as the victim user. As with regular CSRF, the attacker can send arbitrary messages to the server-side application. If the application uses client-generated WebSocket messages to perform any sensitive actions, then the attacker can generate suitable messages cross-domain and trigger those actions.
• Retrieve sensitive data that the user can access. Unlike with regular CSRF, cross-site WebSocket hijacking gives the attacker two-way interaction with the vulnerable application over the hijacked WebSocket. If the application uses server-generated WebSocket messages to return any sensitive data to the user, then the attacker can intercept those messages and capture the victim user’s data.

As soon as you capture the request of the web socket in burp there you get to see the host url and the origin url .now go to the repeater and try changing the orogin url like if the origin url is something https://www.test.com you can change it to https://www.attacker.com which is basically the url of the attacker a malicious one.

when you hit enter if you get a 101 status code this means the web socket is vulnerable and not validating the orogin url. exploiting the web socket any attacker can red or send data over the network and can gain the users info and this may lead to account takeover.

JUST ADDING AN IMAGE FOR REFERENCE ,WHICH IS NOT MINE CAUSE I CANT DISCLOSE THE PROGRAM. BUT CAN DISCLOSE THE BUG.