[In this lab](https://portswigger.net/web-security/websockets/lab-manipulating-messages-to-exploit-vulnerabilities) from PortSwigger’s Web Security Academy, we’re dealing with **WebSocket message manipulation**. The application features a live chat, and messages we send are immediately displayed to a support agent. The goal is to craft a WebSocket message that will execute JavaScript in the support agent’s browser - in other words, to achieve **reflected Cross-Site Scripting (XSS)** via WebSocket traffic.
What makes this lab interesting is that the application attempts to sanitize messages before they are sent. However, this filtering only happens client-side, and we can bypass it by tampering with the WebSocket frames directly in transit.
##### Understanding the Scenario
The app uses WebSockets to transmit chat messages in real time. WebSockets differ from standard HTTP requests:
* **Persistent connection**: Once established, data flows both ways without re-establishing connections.
* **No request/response model**: Messages are sent as frames rather than discrete HTTP requests.
* **Often overlooked in security testing**: Many testers focus on HTTP requests but forget that WebSocket messages can also be intercepted and modified.
Because both our browser and the support agent’s browser render these messages, a malicious payload in a WebSocket frame could execute in their context.
---
##### Initial Recon
1. **Open the live chat feature** and send a test message.
2. In **Burp Suite → Proxy → WebSockets** tab, find the corresponding WebSocket history entry.
3. Notice how the message is sent as a WebSocket frame, e.g.:
```
{"message":"Hello"}
```
4. Send another message containing a `<` character and check the frame in Burp.
5. Observe that the `<` has been HTML-encoded **before** leaving the browser. This confirms **client-side sanitization**.
---
##### The Vulnerability
The encoding occurs in JavaScript running in the browser — meaning if we can intercept the raw WebSocket frame before it leaves our browser, we can send arbitrary HTML without encoding.
This is possible because Burp allows interception and modification of WebSocket messages in real time.
---
##### Exploitation Steps
1. In **Burp → Proxy → Options**, make sure **Intercept WebSocket messages** is enabled.
2. Send another chat message and intercept it before it reaches the server.
3. Modify the message to contain the XSS payload:
```html
<img src=1 onerror='alert(1)'>
```
Example intercepted frame:
```
{"message":"<img src=1 onerror='alert(1)'>"}
```
4. Forward the modified frame to the server.
5. In the lab interface, observe that the alert fires in **your** browser. This proves that the sanitization is bypassed when tampering with WebSocket frames.
![[CleanShot 2025-08-13 at
[email protected]]]