LOGO
OFFENSIVE | DEFENSIVE | WIKI | ABOUT

[WEBSOCKETS]



GENERAL INFORMATION NOTE: Present is most applications due to is present on HTTP itself. It provides a long lived connections with asynchronous communication in both directions. bi-directional, full duplex. Websockets will keep the connection open and idle until either the client or server is ready to send a message. Protocol: not encrypted, ws:// | encypted wss:// sample on how are instanciated ? var ws = new WebSocket("wss://normal-website.com/chat"); there's 3 headers that can potentially help to discover it is a websocket connection. request headers>> Sec-WebSocket-Version: 13 Sec-WebSocket-Key: wDqumtseNBJdhkihL6PW7w== Upgrade: websocket response headers >> Upgrade: websocket Sec-WebSocket-Accept: 0FFP+2nmNIf/h+4BP36k9uzrYGk= sample websocket message: ws.send("Peter Wiener"); any data format can be sent using websockets, however, it is pretty common to use JSON format. sometimes it is needed to manipulate the websocket handshake also.
MANIPULATING WEBSOCKETS needed to analyze the requests using burpsuite and look for references, common headers can help to identify. also, the "Websockets history" tab is tracking all activity when websockets are present. similar tehcniques can be applied. requests can be send to repeater and modifications can be in place. as we known, websockets normally use JSON format. it is vulnerable to XSS, XML injection, etc. NOTE: sometimes part of the defense techniques is to convert some parameters to change it so they can lose some functionality. for example, maybe the character "<" is converted to HTML, so it will not work. Or viceversa.
MANIPULATING WEBSOCKETS TO EXPLOIT VULNS XSS C1:<img src=1 onerror='alert(1)'> - also, sometimes restrictions can be in place, either IP restrictions, or XSS, SQLi, or more filters in place for defense. X-forwarded-for header can be used to bypass restrictions. Same XSS techniques can be used to test. important one. encoding and mixing. capital letters, and more.

©® - Since 2023