Build, Break, and Hack WebSockets

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
right welcome back to another video now I'm really excited to share today's topic on websockets because really it's not something that I've spent much time researching in the past but given that my recent Focus has been on attacking internal web apps and web exploitation for red teamers and adversary emulation it's definitely an exciting topic if I can attack users by exploiting websockets and in particular privileged users like it help desk through things like live chats and ticketing systems then we're going to be making steps towards owning the entire network and of course don't get me wrong this isn't a dig at all anyone who's working on the help desk but often I find that they have access to a lot of sensitive information or simply they might have domain admin privileges so this makes them a prime target as usual we're going to do a bit of a primer on websockets first I'll talk you through a simple application that I built and then we'll look at how we go about actually attacking them the second lab we're going to over was particularly fun because we essentially reused the code that I wrote to learn about websockets it's not often that you get to copy and post your application code to be used as an exploit as always if you enjoyed the video don't forget to like And subscribe and of course don't hesitate to share the video if you think that others would get some value out of it let's dive in so when I started to look at web sockets I thought to myself I don't really know what's happening under the hood and of course I've seen websockets in use before but I've never actually had to build or troubleshoot a web app that's using them and in my opinion there's a lot of value to doing that so my first stop was web dev simplified now this is a great resource if you want to get up to speed on a lot of topics very quickly even if you're not a developer if you're just interested in appsec it's definitely worth your time unfortunately this time around there was only a video on sockets.io which of course is similar but not exactly what I was after next up I looked at the mdn web docs and as usual this gave me a really good starting point on how to create websocket objects send data and some practical examples like how to send Json Etc I also looked at a few of the posts while Googling I read through some example code and of course Paul swigger had some information and Labs on websockets as well all in all a pretty productive morning but why is this important to share well I thought it would be useful for me to just give you a brief overview of how I approach learning new topics in a lot of situations it's too easy to just check some write-up or skim over a post add the payloads to your notes and then be on your way and really we don't want to end up as glorified human vulnerability scanners just throwing payloads at a Target and hoping for the best so in my opinion learning about the underlying technology and how it works is really key if you're a long successful career in application security yes it's harder but in the long run it will definitely pay dividends so let's take a quick look at the simple application I cobbled together so that we can understand what's happening alright so let's take a quick look at the application we've got two main files so index.js and index.html so I'm just gonna spin this up and we get running and then if we come over to our browser and hit refresh you can see that we get this message connected and if we check the server we also get connected and all this application does is when I hit send it sends a message to the server and then the server responds back saying hey your original message was this and it also gives us the base64 of the original message so nice and simple and then if we want to we can just click disconnect and you can see that we get disconnected on the server as well so let's take a quick look at the code so first on line one we're importing the Ws package the websocket package and just assigning it to websockets and then line three creates a new websocket server instance and basically says hey please listen on Port 8081 after that we set up an event listener for the connection event on the server and then when the client connects to the server this will basically be triggered so console.log connected will be triggered first and then on line 7 we have an event listener for the message events on the websocket connection so when the server receives a message from the clients this will be triggered and the Callback function will be executed in this case the Callback function will execute socket.send and then it will do the base64 conversion on line 9 and then it will send the base64 back as well on line 13 again we have another event listener and this basically listens for the close events on the websocket connection and when the client closes the connection this basically gets executed and we drop a message into the console log saying disconnected and of course the last line at online 18 this is basically just saying hey the file is running correctly when we do node index.js so we also have the index.html so in here I just have a couple of buttons so we have our text input so we have the message that we want to send and then we have the send message and the disconnect and I have a div and this is where the messages are being appended to so we get this const socket equals new websocket so this creates a new connection to the server so localhost 8081 and socket dot on open when the new connection is created basically we grab the div that's up here so this ID equals messages so messages div equals document.getelement by ID messages we create a new paragraph tag and then our new message dot in a text equals connected and then we append this new paragraph tag to this div so it's going to pop up on our page same thing with on message we grab the message div and then we create a new P tag and then we change the inner text of that P tag and then we append it to the messages div and then on disconnect so the disconnect button which is here we just do socket.close so this closes the connection and then send message we have message equals dot get element by ID the message.value and then we send this to the server so as you can see pretty straightforward and really we're just creating a connection and triggering events when necessary one other thing to note is that here you might notice that we're using WS I think it's best practice to use websocket secure so WSS if you're transmitting sensitive data now with my local lab it doesn't matter too much but it's something to be aware of in the future all right so let's take a look at our first lab so I'm just going to switch on my proxy here we're simply trying to inject some code and see how the application reacts so if we find something then we can dig a little deeper and with injection especially cross-site scripting it's actually worth looking for HTML injection first and you might ask ah why is that well over the years filtering and protection against xss has become more and more common but a lot of applications rely on web application firewalls or other filtering methods rather than escaping so HTML injection has a much higher chance of getting through these filters than a payload such as alert 1 which is basically blocked everywhere if you're testing live applications with alert 1 even if the application is vulnerable it's still unlikely that your payload is going to work at least for production or hardened systems not so much the case with ctfs and labs and and things like this all right so I'm just going to come over to the live chat and we get a connected and now chatting with helpline and I'm just going to send a message saying hello let me get this typing sorry I didn't hear that response so let's take a look at what's happening in burp Suite so if we come to http history we can see we get we have this get slash chat and then here we can see we have switching protocol and the connection is upgrade and we're upgrading to a websocket so this is an indication that we need to come over to websockets history and we can see the messages that have been sent via the websocket so our message to the server we sent a ready message and then back to us we got connected which we can see here and then to the server we get hello and then back to the clients we get the same message back and then typing which I think Powers the front end UI so we saw a typing so if I just sent another hello so there's a bit of UI stuff happening in the clients and then the actual message back from the server so what I want to do is I'm going to test this against ourselves first get a payload to work and then we're going to send it to the server afterwards so I'm just going to hit Ctrl R to send this message to the repeater and the first thing we're going to check for is HTML injection so I'm just going to do hello H1 send and we can see that we do indeed have injections so we need to then upgrade this to JavaScript injection or cross-site scripting so first up there's a few different payloads we should consider so one is obviously these scripts alert one the infamous script I let one scripts but I think before we do that I'm going to do something like image source equals X and then on error I'm going to do prompts it's just the payloads that I prefer they work out for me more often than not so you know you can obviously test lots of different things see what works for you and send this and First Time Lucky we do actually get a prompt which is good and let's actually just test the Scripts that one script just to see if it works and we send this and it doesn't work unfortunately so probably the script keyword is being filtered or there's something in place that's blocking that execution so what we're going to do is come back and we're going to come back to our proxy web server take one of the messages to the server and then drop it in there and send this and then we get congratulations you solved the lab so with simple vulnerabilities like this of course you're unlikely to find them on hardened production systems but if you're a pen tester or on a red team engagement and on the internal Network well you'd be surprised how terrible internal only applications are so you can pull off attacks like this and I think it highlights the web sockets are a surface area where you can probably apply lots of different types of vulnerabilities to try and exploit the targets let's move on to the next Lab all right so the next Lab is super interesting because it uses csrf but instead of just carrying out an action it actually lets us interact with this server after the connection has been established so if you ever thought csrf is boring or unimportant then I hope this changes your mind let's take a look so we have the cross site websocket hijacking lab open and I'm also going to open the exploit server because we'll need this in a little bit and let's just come straight over to the live chat so the first thing that I notice about this behavior is we get system no chat history on record so there must be something happening that's checking to see whether there is some history or or some previous chats and we'll just come over to Pub Suites come to our proxy HTTP history and the first thing I want to look at before we check the behavior is when we have this switching protocols you want to check to see whether there's a cross site request forgery token here and basically there isn't so what this means is we can send a payload to the Target this will then connect the target to the chats using their session and then we can easily use JavaScript to steal their chat history and send it back to us the attacker let's take a quick look and send some messages so whoops bit of a taper I'm just going to send hello send that back and then I'm just going to refresh to see yeah we do indeed get this back as history so let's see where that behavior comes from so it looks like when I refreshed we send a message to the server with ready and then we get the history back so let's try this and send this yeah and every time we send ready to the server it gives us the chat history now this is an important part of our payload because if we don't load the chat history we're not going to get any information back or we'll only get the information that is happening after the target clicks if that makes sense but we want everything from their chat history so what I'm going to do is I'm going to come back to visual studio code and I'm just going to create a new file called payload.js and I'm going to come over to index and I'm simply just going to copy this to begin with so this can be the first parts of my script so we have the const sockets equals new websockets and then what we want to do is grab this URL place this in here and I think this wants to be WS we can probably grab this from burp Suite as well so let's see what did that copy look at that yeah same thing to slash chat so not sure if this needs to be WS or WSS I think the best practice is WSS so let's try this first and then what we want to do is on open we want to send the message ready so we're just going to copy and paste this drop this in here oops so when we open the connection we're doing what the UI does what the web application does and sends this ready message here and then on message we can get rid of this disconnect and send message on message what we want to do is batch and then we want to we need the where we're going to send the data to so let's use the collaborator get started copy the to clipboard and I think you have to use the collaborator because the port swiger Labs don't won't connect out to the internet apart from certain websites like elastify.com so and then let's just update this because we also need our method so we're just gonna post whoops and we want the body to be our data oops like this so let's just read over this quickly so can't socket equals new websockets we're connecting to the targets when it opens send a ready message this will load the chat history and then on message we grab the data and we send it in a post request to this endpoints that we control let's give that a try so I'm just going to copy this come back to here come to the exploit server delivered to victim we could also test this locally but it seems to have worked so if we come here we've got some results request to collaborator response and we have this body as well so that was I think an initial message and let's see what's in here they all contain the same thing ah I forgot my password no problem Carlos and here's your password so to solve the lab I think we just come back and if I recall we just need to log in so Carlos and I suspect this is his password it's some encoding going on and there we go we solved the lab yeah this was a really great lab and really a lot of fun because as I said before the research and testing that I did was exactly what I needed to solve the challenge as always portuga has great content and I definitely recommend working through all of their Labs if you're interested in improving your application security or web app penetration testing skills so that's it for this video I hope you enjoyed watching it as much as I enjoyed making it again don't forget to like And subscribe and share if you think that somebody else would get some value out of this if you have another topic you want me to cover leave it in the comments below and I'll catch you next time
Info
Channel: The Cyber Mentor
Views: 15,096
Rating: undefined out of 5
Keywords:
Id: kKOzvqkP4UM
Channel Id: undefined
Length: 18min 54sec (1134 seconds)
Published: Sun Mar 12 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.