Modern Web Exploitation Techniques
WebSocket Analysis in Burp
In the previous section, we discussed how WebSocket connections are established. In this section, we will learn how to analyze and manipulate data sent over WebSocket connections in Burp using a small WebSocket server that echoes the messages sent by a client:
Inspecting Messages
In Burp, we can inspect data sent over WebSocket connections in the WebSockets history tab, located within the Proxy tab. Like HTTP requests and responses, Burp provides a filter to narrow down the WebSocket messages displayed. These messages are typically listed at the top of the window, with the message data displayed at the bottom:
Manipulating, Injecting, and Replaying Messages
Like HTTP requests, Burp offers various manipulation options for messages sent over WebSocket connections.
Firstly, Burp Intercept works for WebSocket messages just like it works for HTTP requests. Thus, if Burp Intercept is enabled and a message is sent via a WebSocket connection in either direction, it will be intercepted, and we can manipulate it. In our echo server, this gives us the ability to manipulate the echoed message from the server such that, from the browser's perspective, the message was echoed incorrectly:
Additionally, we can also send WebSocket messages to Burp Repeater. There, we can set the direction of the message (either To server or To client) and replay a message or edit it and send a custom message. This enables us to inject messages from the server to the client without a prior message from the client:
Burp also enables us to manipulate the WebSocket handshake, disconnect existing WebSocket connections, or establish new WebSocket connections. To do so, send any WebSocket message to Repeater. Afterward, we can disconnect the existing connection and re-connect by clicking the same icon:
To manipulate the handshake, click on the little pencil icon. Burp displays an overview of all past WebSocket connections and some meta information:
We can select a different WebSocket connection for the message in Repeater and click Attach to send the message in the selected connection. Furthermore, we can click clone to establish a new WebSocket connection to the same server. This enables us to manipulate the handshake. We can inject new HTTP headers or change the existing ones:
Lastly, we can establish a new WebSocket connection to a new server by clicking on New WebSocket.
/ 1 spawns left
Questions
Answer the question(s) below to complete this Section and earn cubes!
Click here to spawn the target system!
Target:
Click here to spawn the target system!
Table of Contents
Introduction to Modern Web Exploitation Techniques
Introduction to Modern Web Exploitation TechniquesDNS Rebinding
Introduction to DNS Rebinding SSRF Basic Filter Bypasses DNS Rebinding: SSRF Filter Bypass DNS Rebinding: Same-Origin Policy Bypass DNS Rebinding: Tools & PreventionSecond-Order Attacks
Introduction to Second-Order Attacks Second-Order IDOR (Whitebox) Second-Order IDOR (Blackbox) Second-Order LFI Second-Order Command InjectionWebSocket Attacks
Introduction to WebSockets WebSocket Analysis in Burp Exploiting XSS via WebSockets Exploiting SQLi via WebSockets Cross-Site WebSocket Hijacking (CSWH) WebSocket Attacks: Tools & PreventionSkills Assessment
Skills AssessmentMy Workstation
OFFLINE
/ 1 spawns left
