Lab: Manipulating the WebSocket handshake to exploit vulnerabilities
This online shop has a live chat feature implemented using WebSockets.
It has an aggressive but flawed XSS filter.
To solve the lab, use a WebSocket message to trigger an
alert() popup in the support agent's browser.
- If you're struggling to bypass the XSS filter, try out our XSS labs.
Sometimes you can bypass IP-based restrictions using HTTP headers like
- Click "Live chat" and send a chat message.
- In Burp Proxy, go to the WebSockets history tab, and observe that the chat message has been sent via a WebSocket message.
- Right click on the message and select "Send to Repeater".
Edit and resend the message containing a basic XSS payload:
<img src=1 onerror='alert(1)'>
- Observe that the attack has been blocked, and that your WebSocket connection has been terminated.
- Click "Reconnect", and observe that the connection attempt fails because your IP address has been banned.
Click "Request", and add the following header to the handshake:
- Click "Connect" to reconnect the WebSocket.
Send a WebSocket message containing an obfuscated XSS payload like: