Manipulating WebSocket messages to exploit vulnerabilities | Dec 19, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: Manipulating WebSocket messages to exploit vulnerabilities! Without further ado, let’s dive in.

• Overall difficulty for me (From 1-10 stars): ★☆☆☆☆☆☆☆☆☆

Background

This online shop has a live chat feature implemented using WebSockets.

Chat messages that you submit are viewed by a support agent in real time.

To solve the lab, use a WebSocket message to trigger an alert() popup in the support agent’s browser.

Exploitation

Home page:

Live chat:

To intercept WebSocket messages, we can use Burp Suite:

As you can see, the live chat feature is using WebSockets.

Let’s try to send some messages:

In here, we can see that the a WebSocket message is being sent to the server, and the contents of the message are transmitted to another chat user!

Hmm… What if I send a XSS payload to another chat user?

Payload:

<img src=error onerror='alert(document.domain)'>

We did it!

What we’ve learned:

1. Manipulating WebSocket messages to exploit vulnerabilities