Tactics, Techniques, and Procedures
Personal BlogTwitterGitHubContact
  • Tactics, Techniques, and Procedures
  • ☠️Pentesting
    • Fortress
      • Automation
      • Cisco
        • Cisco Adaptive Security Appliance
        • Cisco Smart Install
      • CMS
        • Drupal
        • Wordpress
      • Exchange
      • Office365
      • Okta
      • Outlook Web Access (OWA)
      • SSH
      • Subdomain Takeover
    • Infrastructure
      • Active Directory
        • AD CS
        • Coercing Authentication
        • Credential Dumping
          • Cached Domain Credentials
          • Data Protection API (DPAPI)
          • Group Policy Preferences
          • LSA Secrets
          • LSASS Memory
          • NTDS
          • Security Account Manager (SAM)
          • Kerberos Tickets
          • Unsecured Credentials
          • WDigest
          • WiFi Profiles
        • Delegation Abuse
          • Constrained Delegation
          • Unconstrained Delegation
        • Domain Enumeration
        • Domain Dominance
          • Forge Golden Ticket
          • Forge Silver Ticket
          • Forge Trust Ticket
          • Skeleton Key
        • Group Policy Preferences
        • Kerberos
          • AS-REP Roasting
          • Kerberoasting
          • Kerberos Relaying
        • Lateral Movement
          • PowerShell
          • Windows Remote Management (WinRM)
        • Local Administrator Password Solution (LAPS)
        • NoPac
        • NTLMv1
        • Password Cracking
        • Password Policy
        • Password Spraying
        • Reconnaissance
        • Relaying
          • LDAP Relaying
          • SMB Relaying
        • Shadow Credentials
        • Zerologon
      • Database Management System (DBMS)
        • Microsoft SQL Server
      • Defense Evasion
        • Disable or Modify Tools
        • Disable Windows Event Logging
        • Impair Command History Logging
        • Timestomping
      • Low-Hanging Fruit
      • Networks
        • IPv6
        • LLMNR/NBT-NS Poisoning
        • Network Scanning
        • Network Sniffing
        • Segmentation Testing
        • Simple Network Management Protocol (SNMP)
        • Subnet Enumeration
        • Identifying Domain Information
      • Persistence
        • Create Account
        • Remote Desktop
        • Services
          • Service Privilege Escalation / Persistence
          • Systemd Service Persistence
        • Web Shell
        • DLL Hijacking
      • Pivoting
      • Privilege Escalation
        • Linux
          • Setuid and Setgid
        • Windows
          • Privilege Abuse
            • SeImpersonatePrivilege
            • SeLoadDriverPrivilege
          • Service Exploitation
    • Initial Access
      • Phishing
        • Creating Templates
          • Leveraging AI During Template Creation
        • Payloads
          • Non-malicious Callback
          • Macros
    • OSINT
      • Identifying Users
      • Network Information
      • Search Engines
    • Web Applications
      • Access Control
      • APIs
        • Swagger API
      • Authentication
        • Account Takeover
      • Clickjacking
      • Cross Origin Resource Sharing (CORS)
      • Cross Site Request Forgery (CSRF)
      • Document Object Model (DOM)
      • File Upload
      • Google Dorking
      • GraphQL
      • HTTP Request Smuggling
      • Information Disclosure
      • Insecure Direct Object Reference (IDOR)
      • Injection Vulnerabilities
        • Cross-Site Scripting (XSS)
          • Blind Cross-Site Scripting
          • Finding Cross-Site Scripting
          • Stealing Cookies
          • XSS Payloads
        • CSV Injection
        • XML External Entity Injection (XXE)
        • LDAP Injection
        • NoSQL Injection
        • Server-Side Template Injection
        • SQL Injection
      • JSON Web Tokens (JWT)
      • Local File Inclusion (LFI)
      • OAuth
      • Open Redirection
      • Password Reset Poisoning
      • Prototype Pollution
      • Race Condition
      • Rate Limit Bypass
      • Remote Code Execution (RCE)
      • Remote File Inclusion (RFI)
      • Suspicious Parameters
      • Tooling
        • Burp Suite
          • Authentication / Proxy Issues
          • Intruder Attack Types
          • Match and Replace
          • Quality of Life
        • Misc Tooling
      • WAF Bypasses
      • WebSockets
      • Web Cache Deception
      • Web Cache Poisoning
    • Wireless
      • WPA / WPA2
        • Alfa Troubleshooting
        • Enterprise
        • Personal
    • Cloud
      • Amazon Web Services (AWS)
      • Microsoft Azure
  • 🧨Red Teaming
    • C2
      • Cobalt Strike
      • Empire
      • Metasploit
        • Metasploit Datatabase
      • Mythic
      • Sliver
    • Malware Dev
    • Offensive Infrastructure
      • Cloud Fronting
      • Redirectors
      • OpSec
      • Phishing Infrastructure
      • Creating a Dropbox
    • Offensive Tactics
    • Philosophy
  • 🦋Bug Bounty
    • Bug Bounty Tips & Tricks
  • 📖Resources
    • Blog Posts and Goodies
    • Checklists
    • Offensive Security Notes
    • Tooling Repository
    • Active Directory Toolkit
Powered by GitBook
On this page
  • Cross-Site WebSocket Hijacking (CWSH)
  • ws-harness.py
  • Remediation
  • References
  1. Pentesting
  2. Web Applications

WebSockets

PreviousWAF BypassesNextWeb Cache Deception

Last updated 2 years ago

WebSockets are a technology that allows for bi-directional communication between a client and a server over a single, long-lived TCP connection. While WebSockets can be a powerful tool for building real-time applications, there are also several security risks associated with their use. Here are some of the most important security risks to consider:

  1. Cross-site WebSocket hijacking (CSWSH): This is a type of attack where a malicious website can exploit a WebSocket connection established by a user on a legitimate website. The attacker can then use the WebSocket connection to send or receive data to and from the legitimate website, bypassing the same-origin policy. This can result in data theft, session hijacking, and other types of attacks.

  2. Denial-of-service (DoS) attacks: WebSockets are susceptible to DoS attacks, where an attacker floods a server with a high volume of traffic. This can result in the server becoming overwhelmed and unable to handle legitimate requests, causing a denial of service to users.

  3. Man-in-the-middle (MitM) attacks: Since WebSocket connections are unencrypted by default, an attacker can intercept and modify data transmitted over a WebSocket connection. This can result in sensitive data being stolen or manipulated.

  4. Malicious payload injection: If a server doesn't properly validate the data it receives from a WebSocket connection, it can be vulnerable to attacks that involve the injection of malicious payloads. For example, an attacker could inject JavaScript code that executes in the user's browser, potentially leading to further attacks such as cross-site scripting (XSS).

  5. Insecure WebSocket implementations: WebSockets are still a relatively new technology, and some implementations may have security vulnerabilities that could be exploited by attackers. It's important to use a secure and well-tested WebSocket library or framework to minimize the risk of such vulnerabilities being exploited.

Cross-Site WebSocket Hijacking (CWSH)

This attack is essentially Cross-Site Request Forgery targeting a WebSocket connection / handshake.

It arises when the WebSocket handshake request relies solely on HTTP cookies for session handling and does not contain any CSRF tokens or other unpredictable values. An attacker can create a malicious web page on their own domain which establishes a cross-site WebSocket connection to the vulnerable application. The application will handle the connection in the context of the victim user's session with the application.

ws-harness.py

# Start ws-harness to listen on a web-socket, and specify a message template to send to the endpoint.
python ws-harness.py -u "ws://dvws.local:8080/authenticate-user" -m ./message.txt

Remediation

To mitigate these risks, it's important to properly secure WebSocket connections by using encryption (such as HTTPS), implementing proper access controls, validating user input, and regularly testing for vulnerabilities. Additionally, implementing rate limiting and other measures to prevent DoS attacks can help protect against denial-of-service attacks.

References

☠️
https://gist.githubusercontent.com/mfowl/ae5bc17f986d4fcc2023738127b06138/raw/e8e82467ade45998d46cef355fd9b57182c3e269/ws.harness.py
PayloadsAllTheThings/Web Sockets at master · swisskyrepo/PayloadsAllTheThingsGitHub
Cross-site WebSocket hijacking (CSWSH)HackTricks
Testing for WebSockets security vulnerabilities | Web Security AcademyWebSecAcademy
Logo
A Pentester’s Guide to WebSocket Pentesting | Cobalt
Logo
Logo
Logo