6Tem
Why is the browser not sending cookies with cross-domain WebSocket handshake request?
If I have understood Cross-Site WebSocket Hijacking (CSWSH) attack correctly [1][2][3][4], the attack relies on two things (examples are from the first reference):
- the browser sending the cookies set by the victim domain (
www.some-trading-application.com) over a WebSocket handshake request initiated from a JavaScript code running on the attacker domain (https://www.some-evil-attacker-application.com) - no
Originheader check being performed on the victim server side
The first happens due to the absence (by design) of cross-origin checks for WebSocket requests. I tested the hypothesis with a demo app that I developed. While the browser (Firefox 102.8.0esr (64-bit)) does permit cross-origin WebSocket requests, it does not send the auth_cookie cookie alongwith. For my test setup, I did the following:
- Pointed both
victim.comandattacker.comto127.0.0.1by modifying/etc/hostson a Ubuntu system - Victim web app (which includes the WebSocket server, too) runs on
victim.com:5000, and sets anauth_cookiewith the most relaxed restrictions (HttpOnly=False,Secure=False,SameSite=None,Path=/) - Attacker webpage runs on
attacker.com:10000, and initiates a WebSocket handshake tovictim.com:5000/logincheck, the vulnerable WebSocket endpoint. I made sure that theauth_cookieis set in the browser byvictim.combefore the WebSocket call is made fromattacker.com.
Unfortunately, I could not see the auth_cookie being sent either from developer tools in the browser, or Burp proxy. I repeated the test with other Firefox and Chrome versions as well, but had the same result.
Does CSWSH even work on modern browsers?
References
- https://christian-schneider.net/CrossSiteWebSocketHijacking.html
- https://infosecwriteups.com/cross-site-websocket-hijacking-cswsh-ce2a6b0747fc
- https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets
- https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/cross-site-websocket-hijacking-cswsh.md
