Cross site web socket hijacking (CSWSH) is similar to CSRF because we utilize the targets cookies to make requests.
Also, like CSRF the target would have to visit our malicious page while logged into the target site for this to work.
The major difference is instead of sending a POST request we initiate a web socket connection. After the WebSocket
connection is established we can do whatever want.
-
Examine the traffic in burp Most people only know how to use burp to test HTTP traffic but it can also handle web socket traffic as shown below:
-
Create a POC to see if we can hijack a user’s
WebSocket
connection | We can use the following website to test for the vulnerability:[http://websocket.org/echo.html ] -
Manipulating WebSocket messages to exploit vulnerabilities
Click "Live chat" and send a chat message. Itercept the request edit message to <img src=1 onerror='alert(1)'>
-
Manipulating the WebSocket handshake to exploit vulnerabilities