How to Identify and Prevent WebSocket Vulnerabilities

What is web socket:

A WebSocket is a communication protocol that provides full-duplex, bidirectional communication channels over a single, long-lived connection. Unlike traditional HTTP, which is request-response based, WebSockets allow data to be sent and received continuously in both directions without the overhead of repeatedly opening and closing connections.

What are web socket vulnerabilities:

Insecure WebSocket implementations and insufficient input validation can lead to exploitation, such as cross-site scripting (XSS) or buffer overflows. To mitigate these risks, always use secure WebSocket connections (wss://), authenticate users properly, validate inputs, and implement rate limiting and connection management.

Lets take portswigger labs as a example for better understanding:

Lab url: https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking/lab

Description: This online shop has a live chat feature implemented using WebSockets
Chat messages that you submit are viewed by a support agent in real time.

To solve the lab, use a WebSocket message to trigger an alert() popup in the support
agent’s browser.

Explanation: There is a online shop and it has a live chat feature that iis implemented using websockets , we have to trigger an alert() popup through websocket messages.

Steps to solve:

The live chat feature of the website:

Verifying that the chat feature uses a websocket using burpsuit WebSocket history (make sure to configure your burp to intercept websocket history):

I tried <> these symbols and they were url encoded:

I intercepted the websocket message and replaced the message with the script <img src=1 onerror=’alert(1)’> and alert script was successful.

And we successfully solved the lab
Lets take another example:

Manipulating the WebSocket handshake to exploit vulnerabilities:

Lab url: https://portswigger.net/web-security/websockets/lab-manipulatinghandshake-to-exploit-vulnerabilities

Description: This online shop has a live chat feature implemented using WebSockets. It has an aggressive but flawed XSS filter. To solve the lab, use a WebSocket message to trigger an alert() popup in the support agent’s browser.

Exploitation: We have to exploit live chat feature to trigger an xss alert(). It has a xss filter
but it has flaws.

Steps to solve the lab :
Website’s live chat page :

I tried to insert a javascript payload and it says attack detected and disconnects:

When I tried to reconnect(from the reconnect option in the burp repeter) it says “This address is Blacklisted”:

Now I appende X-Forwarded-for:1.1.1.1 to spoof the ip adrress to reconnect:

And it reconnected :

After reconnecting I tried a obfuscated script and the filter didn’t block it and the lab is solved:

Conclusion : WebSocket vulnerabilities can severely affect the security and performance of real-time applications if not properly addressed. To mitigate these risks, it is essential to implement secure WebSocket connections using wss://, validate and authenticate all WebSocket requests, sanitize incoming data, enforce connection limits, and regularly update WebSocket libraries. By following best practices for security, WebSocket-based applications can provide a robust and secure communication channel for real-time data exchange.

That’s all for websocket labs , Thank you for reading.