Cross-Site WebSocket Hijacking

high Web App Scanning Plugin ID 114502

Synopsis

Cross-Site WebSocket Hijacking

Description

HTML5 WebSockets allow developers to create bi-directionnal communication channels between clients (usually web browsers) and servers. To initialize the communication, the WebSocket protocol requires a handshake performed with the HTTP protocol to ugprade the communication. When a web application only leverage on the client cookies to authenticate its users, a remote and unauthenticated could initiate a WebSocket handhsake from a malicious page to force the victim to authenticate against the target, therefore gaining access to the WebSocket traffic exchanged between the victim user and the target web application.

Solution

Ensure that the WebSocket handshake is protected against CSRF attacks, by implementing an anti-CSRF protection mechanism and validating that the request 'Origin' is properly validated.

See Also

https://medium.com/swlh/hacking-websocket-25d3cba6a4b9

https://www.blackhillsinfosec.com/cant-stop-wont-stop-hijacking-websockets/

Plugin Details

Severity: High

ID: 114502

Type: remote

Published: 11/20/2024

Updated: 11/20/2024

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS Score Source: Tenable

CVSS v4

Risk Factor: High

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Vulnerability Information

Exploit Ease: Exploits are available

Reference Information