1. Web Security Academy
  2. WebSockets
  3. CSWSH
  4. Lab

Lab: Cross-site WebSocket hijacking

This online shop has a live chat feature implemented using WebSockets.

To solve the lab, use the exploit server to host an HTML/JavaScript payload that uses a cross-site WebSocket hijacking attack to steal the victim's chat history, then gain access to their account.

Note

The obvious way to exfiltrate the victim's history is using Burp Collaborator. Note that you must use the public Burp Collaborator server (burpcollaborator.net).