Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: Manipulating the WebSocket handshake to exploit vulnerabilities

PRACTITIONER

This online shop has a live chat feature implemented using WebSockets.

It has an aggressive but flawed XSS filter.

To solve the lab, use a WebSocket message to trigger an alert() popup in the support agent's browser.

Hint

  • If you're struggling to bypass the XSS filter, try out our XSS labs.
  • Sometimes you can bypass IP-based restrictions using HTTP headers like X-Forwarded-For.
ACCESS THE LAB

Solution

  1. Click "Live chat" and send a chat message.
  2. In Burp Proxy, go to the WebSockets history tab, and observe that the chat message has been sent via a WebSocket message.
  3. Right-click on the message and select "Send to Repeater".

  4. Edit and resend the message containing a basic XSS payload, such as:

    <img src=1 onerror='alert(1)'>
  5. Observe that the attack has been blocked, and that your WebSocket connection has been terminated.
  6. Click "Reconnect", and observe that the connection attempt fails because your IP address has been banned.

  7. Add the following header to the handshake request to spoof your IP address:

    X-Forwarded-For: 1.1.1.1
  8. Click "Connect" to successfully reconnect the WebSocket.

  9. Send a WebSocket message containing an obfuscated XSS payload, such as:

    <img src=1 oNeRrOr=alert`1`>

Community solutions

Michael Sommer (no audio)

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find WebSocket vulnerabilities using Burp Suite

Try for free