Lab: Manipulating the WebSocket handshake to exploit vulnerabilities
PRACTITIONER
This online shop has a live chat feature implemented using WebSockets.
It has an aggressive but flawed XSS filter.
To solve the lab, use a WebSocket message to trigger an alert()
popup in the support agent's browser.
Hint
-
If you're struggling to bypass the XSS filter, try out our XSS labs.
-
Sometimes you can bypass IP-based restrictions using HTTP headers like
X-Forwarded-For
.
Solution
-
Click "Live chat" and send a chat message.
-
In Burp Proxy, go to the WebSockets history tab, and observe that the chat message has been sent via a WebSocket message.
-
Right click on the message and select "Send to Repeater".
-
Edit and resend the message containing a basic XSS payload:
<img src=1 onerror='alert(1)'>
-
Observe that the attack has been blocked, and that your WebSocket connection has been terminated.
- Click "Reconnect", and observe that the connection attempt fails because your IP address has been banned.
-
Click "Request", and add the following header to the handshake:
X-Forwarded-For: 1.1.1.1
-
Click "Connect" to reconnect the WebSocket.
-
Send a WebSocket message containing an obfuscated XSS payload like:
<iframe src='jAvAsCripT:alert`1`'></iframe>