WebSockets
⇒ what it is ??
Cross site web socket hijacking (CSWSH) is similar to CSRF because we utilize the targets cookies to make requests.
Also, like CSRF the target would have to visit our malicious page while logged into the target site for this to work.
The major difference is instead of sending a POST request we initiate a web socket connection. After the WebSocket
connection is established we can do whatever want.
⇒ Workflows
live chat feature that uses web sockets for communication
Broadcasts Crashes via Manipulating Web-sockets
Log in as an admin and assign a moderator to a classroom.
As the moderator, intercept the API request for role assignment using tools like Burp Suite or browser developer tools.
Modify the request payload as follows:
{
"request_type": "ASSIGN ROLE",
"payload": {
"role": "crash",
"user_id": "55150"
},
"request_id": "A1Kptpj0FIfef173-biAa"
}
Replace the
role
value with a non-standard string such ascrash
.Send the modified request.
Observe the effects:
All live broadcasts in the session will crash.
Participants will see the error message:
Kick the Session HOST User
Moderators intercept WebSocket traffic using tools like browser developer tools or proxies.
The
connection_id
of the Host is extracted from WebSocket messages.A malicious WebSocket request with the following payload is crafted:
{
"request_type": "KICK",
"payload": {
"connection_id": "usr-conn-1ef9c55xu"
},
"request_id": "dME5ScO1R4kLK_STnmfUQ"
}
4. The crafted request is sent to the server, resulting in the Host being forcibly removed from the session.
Last updated
Was this helpful?