From 930a3a0d8c75c2964ac1d6f74efc319ed6900a2b Mon Sep 17 00:00:00 2001 From: Emanuel Duss Date: Sat, 11 Apr 2020 16:17:35 +0200 Subject: [PATCH] Added: Cross-Site WebSocket Hijacking (CSWSH) --- Web Sockets/README.md | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/Web Sockets/README.md b/Web Sockets/README.md index b53a7b7..c63bdd4 100644 --- a/Web Sockets/README.md +++ b/Web Sockets/README.md @@ -31,9 +31,36 @@ Then you can use any tools against the newly created web service, working as a p sqlmap -u http://127.0.0.1:8000/?fuzz=test --tables --tamper=base64encode --dump ``` +## Cross-Site WebSocket Hijacking (CSWSH) + +If the WebSocket handshake is not correctly protected using a CSRF token or a +nonce, it's possible to use the authenticated WebSocket of a user on an +attacker's controlled site because the cookies are automatically sent by the +browser. This attack is called Cross-Site WebSocket Hijacking (CSWSH). + +Example exploit, hosted on an attacker's server, that exfiltrates the received +data from the WebSocket to the attacker: + +```html + +``` + +You have to adjust the code to your exact situation. E.g. if your web +application uses a `Sec-WebSocket-Protocol` header in the handshake request, +you have to add this value as a 2nd parameter to the `WebSocket` function call +in order to add this header. ## References - [HACKING WEB SOCKETS: ALL WEB PENTEST TOOLS WELCOMED by Michael Fowl | Mar 5, 2019](https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/) - [Hacking with WebSockets - Qualys - Mike Shema, Sergey Shekyan, Vaagn Toukharian](https://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf) -- [Mini WebSocket CTF - January 27, 2020 - Snowscan](https://snowscan.io/bbsctf-evilconneck/#) \ No newline at end of file +- [Mini WebSocket CTF - January 27, 2020 - Snowscan](https://snowscan.io/bbsctf-evilconneck/#)