Nytro Posted March 13, 2019 Report Share Posted March 13, 2019 Account Takeover Using Cross-Site WebSocket Hijacking (CSWH) Sharan Panegav Mar 9 Hello , While Hunting on a private program. I found the application using WebSocket connection so I checked the WebSocket URL and I found it was vulnerable to CSWH(Cross-site websocket-hijacking) for more details about CSWH you can go through below blog https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html So let’s assume an application is an establishing connection with websocket on URL wss://website.com. to verify the URL is vulnerable to CSWH I follow below steps Open the web application on browser and login into it. After this visit, http://websocket.org/echo.html in a new tab, enter the WebSocket URL and click ‘Connect’. Once the connection is established you must be able to send frames to the server from this page. Capture the websocket frames using burp proxy from a valid session and send them to see how the server responds. If the server responds in the same way as it did for the valid session then it most likely is vulnerable to Cross-Site WebSocket Hijacking By following above steps I determined the application is vulnerable to Cross-site-websocket-Hijacking. Once I established the WebSocket connection on the new tab I have received below websocket response If you observe the above response, there is parameter “forgotPasswordId” and its value is “null”. Now need to determine the value of “_forgotPasswordId” to complete the attack I decided to check the forgot password page and submitted the password reset request. Once again I checked the Websocket connection and this time observed the below Response and it contains forgotPassword token Exploit : Now to prepare the exploit of account takeover need to chain CSWH and password reset request. So I prepared below payload to send WebSocket response the attacker site using XHR. Steps: Send Password reset link to Victim (Using Forgot password page) Host the Above CSWH.html and Send URL to Vitim (Similar to CSRF attacks) Once victim click on URL you will get websocket response on your listener as show in below Image Response on Webhook Listener of attacker Once we have forgot password token we can reset the victim password Sursa: https://medium.com/@sharan.panegav/account-takeover-using-cross-site-websocket-hijacking-cswh-99cf9cea6c50 Quote Link to comment Share on other sites More sharing options...
