Lab: Manipulating the WebSocket handshake to exploit vulnerabilities
This online shop has a live chat feature implemented using WebSockets.
It has an aggressive but flawed XSS filter.
To solve the lab, use a WebSocket message to trigger an
alert() popup in the support agent's browser.
- If you're struggling to bypass the XSS filter, try out our XSS labs.
Sometimes you can bypass IP-based restrictions using HTTP headers like
- Click "Live chat" and send a chat message.
- In Burp Proxy, go to the WebSockets history tab, and observe that the chat message has been sent via a WebSocket message.
- Right-click on the message and select "Send to Repeater".
Edit and resend the message containing a basic XSS payload, such as:
<img src=1 onerror='alert(1)'>
- Observe that the attack has been blocked, and that your WebSocket connection has been terminated.
- Click "Reconnect", and observe that the connection attempt fails because your IP address has been banned.
Add the following header to the handshake request to spoof your IP address:
- Click "Connect" to successfully reconnect the WebSocket.
Send a WebSocket message containing an obfuscated XSS payload, such as:
<img src=1 oNeRrOr=alert`1`>