【转载】【漏洞分析】‘Websocket Hijacking’ to steal Session_ID of victim users

Hello everyone, I hope you all are healthy and safe. Today’s writeup is about one of my find in a gaming website. The interesting part here is that, I always thought this type of attack is just a theory. As always I will try to keep my writeup not soo technical so that it will be easy to understand for any beginner. Let’s start!

大家好,我希望你们都健康平安。今天的文章是关于我在一个游戏网站上的发现。有趣的是,我一直认为这种类型的攻击只是一种理论。像往常一样,我会尽量保持我的写作不要太专业,这样对于任何初学者来说都很容易理解。我们开始吧!

Before getting into the details, let’s discuss about websocket requests:

在深入讨论细节之前,我们先来讨论一下 websocket 请求:

What are Websocket’s ?

什么是 Websocket?

Using websocket requests, it’s possible to open a two-way interactive communication session between the user’s browser and a server. With this API, you can send messages to a server and receive event-driven responses without having to poll the server for a reply. If you want to know more check this — https://sookocheff.com/post/networking/how-do-websockets-work/

使用 websocket 请求,可以打开用户的浏览器和服务器之间的双向交互式通信会话。使用这个 API,您可以向服务器发送消息并接收事件驱动的响应,而不必轮询服务器以获得响应。如果你想知道更多,看看这个—- https://sookocheff.com/post/networking/how-do-websockets-work/

Exploitation:

剥削:

So I was hunting on this private Hackerone program <redacted>.com. Before start attacking, I have the habit to quickly check the website by intercepting requests in Burpsuite. During this process, I found few websocket requests carrying messages. So I started checking if it’s vulnerable to websocket hijacking or not. So for that I have used this website: http://websocket.org/echo.html [This is a vulnerable website created for connecting to websockets]. All you have to do is to enter the websocket url in location input and check if you are able to send and receive messages. I have entered the targets websocket url like this: wss://www.<redacted>.com/xns-service/secure/client/desktop/000/xxxxxxxx/websocket and immediately I got a response in 3rd party website like this

所以我参加了一个私人的培训项目。Com.在开始攻击之前,我有一个习惯,就是通过截取 Burpsuite 的请求来快速查看网站。在这个过程中,我发现很少有 websocket 请求带有消息。所以我开始检查它是否容易被盗版。因此,我使用了这个网站: http://websocket.org/echo.html。你所需要做的就是在位置输入中输入 websocket 地址,然后检查你是否能够发送和接收消息。我输入的目标 websocket 的网址如下: wss://www。< 修订 > 。Com/xns-service/secure/client/desktop/000/xxxxxx/websocket,我立刻在第三方网站上收到了这样的回复

  • Note: 注意: 000 — In the actual url this in alphanumeric value but I found that it is accepting any values and same goes to XXXXXX 000ー在实际的 url 中,这是一个字母数字值,但是我发现它接受任何值,并且也接受 XXXXXX

So far good but what is the Impact? So I started exploring the website further and found that when a user updates their profile then they receive message like this which is disclosing the username of the user

到目前为止还不错,但是什么是影响呢?所以我开始进一步研究这个网站,发现当一个用户更新他们的个人资料时,他们会收到这样的信息,这是在泄露用户的用户名

So I understood that if victim is performing any action, the websocket connection established 3rd party is receiving websocket responses with sensitive content. So I went on performing sensitive actions, all actions resulted in same response. But that is when I performed password change action and then boom!! This time Session_Id disclosed : )

所以我明白,如果受害者正在执行任何行动,第三方建立的 websocket 连接正在接收带有敏感内容的 websocket 响应。所以我继续执行敏感的动作,所有的动作都会导致同样的反应。但那是我执行密码更改动作的时候,然后砰!这次会议我透露:)

What is the Impact again?

什么是冲击来着?

So an attacker will be creating a website and host the vulnerable code. Now when the victim opens the attackers website, the connection will be established immediately and they can start seeing the websocket messages whenever the victim is performing an action. The highest impactful action is when victim is trying to update the their password, the attacker can see the Session_Id of the victims account.

因此,攻击者将创建一个网站,并托管易受攻击的代码。现在,当受害者打开攻击者的网站,连接将立即建立,他们可以开始看到的 websocket 消息时,受害者正在执行的行动。最有效的行动是当受害者试图更新他们的密码时,攻击者可以看到受害者帐户的 Session _ id。

To create a real life attack scenario use the code available via: http://websocket.org/echo.html , using which an attacker can acts as the 3rd party and intercept the websocket responses. So I quickly reported the vulnerability in Hackerone and the report was accepted with little less severity and less bounty due to few reasons but the identifying part made me happy since I was always thinking that this type of vulnerability is just a theory!

要创建一个真实的攻击场景,可以使用通过://///的代码,攻击者可以使用该 http://websocket.org/echo.html 作为第三方,拦截 websocket 响应。因此,我迅速报告了 Hackerone 的漏洞,由于原因不多,报告的严重性和慷慨程度略有降低,但识别部分让我感到高兴,因为我一直认为这种漏洞只是一种理论!

Quick summary:

快速摘要:

  1. Found websocket requests while playing requests in Burpsuite. 在 Burpsuite 播放请求时发现 websocket 请求
  2. Open: 公开组:http://websocket.org/echo.html and check if I can send and receive websocket response 并检查我是否可以发送和接收 websocket 响应
  3. Received response from target.

    收到目标的回复

  4. Tried to escalate the severity and found that session_Id is getting disclosed to 3rd party when victim user is updating password. 尝试升级严重性,发现会话 _ id 正在向第三方披露时,受害者用户正在更新密码
  5. To show a Real life attack scenario used the code available via: 为了展示一个真实的攻击场景,可以使用下面的代码:http://websocket.org/echo.html

I hope you like my explanation. If you have any queries feel free to ping me via twitter:https://twitter.com/sunilyedla2 . Stay Positive and Spread Positivity 🙂

我希望你喜欢我的解释。如果你有任何疑问,请随时通过 twitter: https://twitter.com/sunilyedla2微博联系我。保持积极的心态,传播积极的心态