‘Websocket Hijacking’ to steal Session_ID of victim users

We discussed this vulnerability during Episode 91 on 18 October 2021

Websockets have always been a little bit special when it comes to security considerations, they are a newer technology and the security concerns are often not well understood. Websocket Hijacking tends to occur because websocket connections are not protected by the usual Same-Origin-Policy (SOP) that more traditional resources would be, so malicious websites can by default connect to a foreign websocket using a victims cookies (assuming SameSite is not at play).

What happened in this case is that the author discovered, first that the websocket the application used did not properly validate the origin of the connection, and would broadcast replies to userinitiated events to all of the user’s connections. One event in-partical, the change password event would leak the session id in the response, making it visible to any malicious website connected at the same time.