Manipulating the WebSocket handshake to exploit vulnerabilities

-

 In this lab, the vulnerability is demonstrated through a live chat feature that relies on a WebSocket connection for real-time communication. When the user clicks “Live chat” and sends a message, the browser establishes a persistent WebSocket session with the server. Using Burp Suite, this traffic can be observed in the WebSockets history tab, where each chat message appears as a WebSocket frame being transmitted through the connection.

To begin exploring the application’s security controls, the WebSocket message is right-clicked and sent to Repeater. From there, the payload is modified to include a basic cross-site scripting attempt such as an image tag with an error handler, for example <img src=1 onerror='alert(1)'>. When this modified message is resent through the WebSocket channel, the application responds by blocking the payload. More importantly, the WebSocket connection is immediately terminated, indicating that some server-side filtering or intrusion detection mechanism is actively monitoring for malicious patterns and reacting by closing the session.

After the connection is dropped, attempting to reconnect reveals an additional defensive mechanism: the server now refuses new WebSocket connections from the same client. In Burp Suite, clicking “Reconnect” shows that the connection fails because the client’s IP address has been temporarily banned. This suggests that the application is implementing reactive IP-based blocking in response to detected malicious WebSocket activity, likely triggered by the attempted XSS payload.


To bypass this restriction, the WebSocket handshake request is modified before reconnecting. A custom HTTP header is added to the handshake: X-Forwarded-For: 1.1.1.1. This header is commonly used in proxy environments to indicate the original client IP address, but in insecure configurations it can be trusted by the backend server without proper validation. By spoofing this header, the server is tricked into believing the request originates from a different IP address, effectively bypassing the IP-based ban and allowing the WebSocket connection to be successfully re-established.

Once the connection is restored, another attempt is made to exploit the message handling logic. This time, instead of using a straightforward payload, an obfuscated XSS vector is used, such as <img src=1 oNeRrOr=alert\1`>`. The obfuscation changes the casing of the event handler and uses an alternative JavaScript syntax to bypass naive pattern-based filters that likely blocked the earlier attempt. When this message is sent through the WebSocket, it successfully bypasses the server-side filtering and is processed by the application.

When the payload is rendered in the browser context, the image fails to load and the obfuscated onerror handler executes, triggering JavaScript execution. This confirms that while basic filtering and IP-based blocking mechanisms are in place, they can be bypassed through handshake manipulation and payload obfuscation. The root issue lies in the fact that security decisions are being enforced inconsistently—first at the message level, then at the connection level—without a unified or robust validation strategy.

This lab highlights an important lesson in WebSocket security: defensive mechanisms applied after connection establishment, such as IP bans or simple pattern filtering, can often be bypassed if the handshake process itself is not securely designed. If headers like X-Forwarded-For are trusted without validation, and if input filtering relies on weak pattern matching, attackers can combine handshake manipulation with obfuscated payloads to regain access and successfully execute client-side code.

Comments

Post a Comment

Popular posts from this blog

Linux AAA

-
Image
Linux AAA Authentication What it means: Authentication verifies who the user is . How it works in Linux: When you log in, Linux checks your credentials (usually username + password) against /etc/passwd and /etc/shadow . /etc/passwd stores user information (username, UID, GID, shell, home directory). /etc/shadow stores hashed passwords and password expiration info, readable only by root. Common authentication methods: Local authentication: Using /etc/passwd and /etc/shadow . Remote authentication: Using services like: LDAP (Lightweight Directory Access Protocol) – centralized user management. Kerberos – provides secure, ticket-based authentication. RADIUS – used in network access (VPNs, Wi-Fi, etc.). PAM (Pluggable Authentication Modules) – modular framework used by Linux for integrating different authentication methods. Example PAM file location: /etc/pam.d/ Each service (like SSH, sudo, login) has its own PAM configuration file.
Read more

Peppermint Ticketing Software for help desk technicians.

-
Image
Peppermint Ticketing Peppermint is a modern, open-source help desk and issue tracking system built for IT teams, MSPs, and internal support departments that want a self-hosted, lightweight, and privacy-controlled solution. Peppermint prioritizes: Simplicity and speed Developer freedom Data sovereignty Low infrastructure footprint It’s designed for small to medium-sized teams who want something modern, minimalistic, and powerful — without being locked into enterprise subscriptions or bulky frameworks. Architecture Overview Peppermint’s backend is written primarily in TypeScript (Node.js) , with a PostgreSQL database and a React-based frontend . This makes it modular, fast, and compatible with modern deployment standards such as Docker , Kubernetes , and cloud instances (AWS, Linode, DigitalOcean, etc.). Architecture Components Component Technology / Purpose Backend  => Node.js (Express / Nest-like structure) Database  => PostgreSQL (relational, handles ti...
Read more

What is Osint?

-
 Open-Source Intelligence (OSINT) refers to the process of collecting, analyzing, and utilizing publicly available data from a wide variety of sources to gather intelligence. These sources can range from publicly accessible information on the internet to data from newspapers, government reports, databases, and even geospatial information. The key distinction of OSINT is that it does not involve covert or illegal methods of gathering information but rather focuses on using data that is readily available to the public, sometimes even through commercial or open platforms. Examples of OSINT data can be gathered from a wide array of open and accessible sources. Some key examples include: Social Media: Publicly available posts, images, videos, and profiles from platforms like Facebook, Twitter, LinkedIn, Instagram, and TikTok. These platforms can reveal personal details about individuals, locations, affiliations, and even plans for upcoming events. News Websites and Online Articles: Ne...
Read more