-
Notifications
You must be signed in to change notification settings - Fork 0
WebSockets
Alnoman Kamil edited this page Oct 10, 2024
·
7 revisions
Apprentice lab:
Manipulating WebSocket messages to exploit vulnerabilities
Apprentice lab:
Manipulating WebSocket messages to exploit vulnerabilities
This online shop has a live chat feature implemented using WebSockets.
Chat messages that you submit are viewed by a support agent in real time.
To solve the lab, use a WebSocket message to trigger an alert() popup in the support agent's browser.
-
Solution
- Go to Live chat and type a message. Before sending intercept the request.
- Edit websocket-message (
ef), adding an onerror XSS{"message":"<img src=x onerror=alert(1)>"}
Solutions for the Portswigger's Web Security Academy using mitmproxy and other cli tools instead of Burp Suite
Server-side topics:
- SQL injection
- Authentication
- File path traversal
- OS command injection
- Business logic vulnerabilities
- Information disclosure
- Access control vulnerabilities
- File upload vulnerabilities
- Race conditions
- Server-side request forgery (SSRF)
- XML external entity (XXE) injection
- NoSQL injection
- API testing
Client-side topics:
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Cross-origin resource sharing (CORS)
- Clickjacking
- DOM-based vulnerabilities
- WebSockets
Advanced topics: