Manipulating the WebSocket handshake to exploit vulnerabilities
Description
This online shop has a live chat feature implemented using WebSockets.
It has an aggressive but flawed XSS filter.
To solve the lab, use a WebSocket message to trigger an alert() popup in the support agent's browser.
Approach
After accessing the lab, I enabled the FoxyProxy extension to intercept all requests through Burp Suite. Then, I used the live chat feature on the site and checked the WebSocket History in Burp's proxy, where I found my message being sent in this request:
{"message":"This is my first message"}
My goal was to trigger an alert pop-up in the support agent's browser using an XSS payload. I attempted a simple XSS injection:
{"message":"<img src=1 onerror=alert(1)>"}
However, when I sent this request, I received the following response:
{"error":"Attack detected: Event handler"}
Additionally, my IP was blocked, preventing further communication through this WebSocket. To bypass the IP block, I used the X-Forwarded-For header. I reconnected by pressing reconnect and adding this header to the request:
This tricked the server into thinking the request was coming from IP 4.4.4.4 instead of my blocked IP. After pressing connect, I successfully reconnected to the WebSocket.
To bypass the XSS filters, I used an obfuscated XSS payload:
I sent this payload and re-accessed the live chat page, ensuring to add the X-Forwarded-For header each time. Upon doing this, I saw the alert box pop up, indicating the lab was solved. This alert also appeared in the support agent's browser, confirming the success of the XSS attack.