WebSocket Hijacking (CSWSH)

Cross-site WebSocket Hijacking (CSWSH)

CSWSH

What is Cross-site WebSocket Hijacking?

Cross-site WebSocket Hijacking (CSWSH) is a vulnerability that allows an attacker to hijack a WebSocket connection and interact with it as the victim user. This attack leverages the lack of proper CSRF protections in the WebSocket handshake process, exploiting the fact that WebSockets are not bound by the same-origin policy (SOP).

The Impact of Cross-site WebSocket Hijacking

1. Unauthorized Actions: The attacker can send arbitrary messages to the server, performing actions as the victim user. This can lead to unauthorized data manipulation, state changes, or other critical actions.

2. Data Leakage: Unlike regular CSRF attacks, CSWSH allows the attacker to read responses from the server, potentially exposing sensitive information accessible to the victim user.

Performing a Cross-site WebSocket Hijacking Attack

To execute a CSWSH attack, the attacker follows these steps:

1. Identify Vulnerable Handshakes: Look for WebSocket handshakes that rely solely on cookies for session handling and lack CSRF tokens or other unpredictable values.

2. Craft the Malicious Web Page: Create a web page that initiates a WebSocket handshake to the vulnerable endpoint.

3. Establish Connection and Interact: Once the handshake is successful, the attacker can send and receive messages through the WebSocket connection, mimicking the victim user.

Example of a Vulnerable WebSocket Handshake

GET /chat HTTP/1.1
Host: normal-website.com
Sec-WebSocket-Version: 13
Sec-WebSocket-Key: wDqumtseNBJdhkihL6PW7w==
Connection: keep-alive, Upgrade
Cookie: session=KOsEJNuflw4Rd9BDNrVmvwBF9rEijeE2
Upgrade: websocket

Example Attack Scenario

1. Victim Visits Malicious Site: The victim user, while logged into the vulnerable application, visits an attacker-controlled website.

2. Malicious Site Initiates WebSocket Handshake:

   const socket = new WebSocket('wss://normal-website.com/chat');
   
   socket.onopen = function(event) {
       socket.send('{"action":"getSensitiveData"}');
   };
   
   socket.onmessage = function(event) {
       console.log('Received:', event.data);
       // Further actions based on received data
   };

3. Hijacked WebSocket Connection: The WebSocket connection is established using the victim’s session cookie. The attacker can now send and receive messages as the victim.

Mitigations and Protections

1. Check the Origin Header: Verify the Origin header on the server-side to ensure the WebSocket connection is originating from a trusted domain.

   // Server-side example in Node.js
   const WebSocket = require('ws');
   const wss = new WebSocket.Server({ port: 8080 });
   
   wss.on('connection', function connection(ws, req) {
       const origin = req.headers.origin;
       if (origin !== 'https://trusted-domain.com') {
           ws.close();
           return;
       }
       // Proceed with connection
   });

2. Use CSRF Tokens: Implement CSRF tokens in WebSocket handshake requests to ensure requests are coming from the legitimate user.

   // Client-side example
   const csrfToken = document.querySelector('meta[name="csrf-token"]').getAttribute('content');
   const socket = new WebSocket(`wss://normal-website.com/chat?csrfToken=${csrfToken}`);

   // Server-side example in Node.js
   const url = require('url');
   
   wss.on('connection', function connection(ws, req) {
       const params = new url.URL(req.url, 'https://normal-website.com').searchParams;
       const csrfToken = params.get('csrfToken');
       if (!validateCsrfToken(csrfToken)) {
           ws.close();
           return;
       }
       // Proceed with connection
   });

3. Separate Authentication Mechanisms: Avoid relying solely on cookies or HTTP authentication for WebSocket handshakes. Use separate, session-independent authentication tokens.

   // Example using JWT for WebSocket authentication
   const jwt = require('jsonwebtoken');
   
   wss.on('connection', function connection(ws, req) {
       const token = req.headers['sec-websocket-protocol'];
       jwt.verify(token, 'secret_key', function(err, decoded) {
           if (err) {
               ws.close();
               return;
           }
           // Proceed with authenticated connection
       });
   });

Conclusion

Cross-site WebSocket Hijacking is a potent attack vector due to the ability to both send and receive data from the server in the context of the victim user. Implementing proper CSRF protections, validating the Origin header, and using robust authentication mechanisms can mitigate the risks associated with CSWSH. As a pentester, always check for these vulnerabilities in applications using WebSockets to ensure robust security.