Peeping through a Web-Socket

Recently, I had found a bug related to web sockets through which I was able to view all the messages being sent to the victim user.

What are Web Sockets?

Web Sockets are usually used in chatting applications, stock/crypto market applications to make sure the data is updated in real time.

What is Web Socket Hijacking?

Here it goes

The upgrade request that was being made to intialize a web socket connection was way too open as it didn’t even send the user cookies to identify the user, instead it sent a unique identifier of the user to establish a web socket connection.

Some Recon

Finding the unique identifier was easy enough as we just had to send a message to the victim user using our account, intercept the web socket request in burpsuite and extract the victim identifier from the request.

Further analyzing the request being made to the web socket conenction and the response recieved, I was able to identify few commands that need to be sent to the server after the connection is established to start receiving new messages being sent to the victim user from other users.

Summing it all up

Once the connection got established in the repeater tab, now I was able to send the commands to the server(similar to portswigger lab’s “READY” command).

Once, this was all done, I just had to wait for someone to send a message to the user(or send a message with my account to the victim user). Every message being sent to the victim user along with the link to the attachments sent along the message were visible in the repeater tab. The server kept sending all the messages of the user as this connection was not meant to be expired automatically.

This way I was able to view the messages of all the users without any action requirement by the victim user. Just establish the web socket connections and then wait and watch the messages of the users as they flow through.

Follow me on Twitter to get some interseting tweets/retweets.