# CSWSH

This vulnerability is used to perform XSS, SQL injection, and RCE.

## Web Sockets

Setting up a full-duplex communication channel allows the use of both read and post data.

ex: a chat application might use web sockets to send messages back and forth.

#### Web socket connection

The initial handshake between the client and server is done using HTTP, after which the connection is upgraded to a WebSocket connection.

#### EX of  Web socket handshake

<figure><img src="https://1674729424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyzdFWSUijzVYOP1hAsit%2Fuploads%2F2TZczKwhQTDafBBndvQm%2Fimage.png?alt=media&#x26;token=8331626d-09a4-40cd-8195-7c24a052d80a" alt=""><figcaption></figcaption></figure>

After the handshake is established you can start sending and receiving messaging from the application.

### CSWSH

Like CSRF this is an attack on the end users and can be used to establish a web socket connection while masquerading as the victim and instead of sending a POST request we initiate a web socket connection.

#### Test for CSWSH

* examine burp web socket traffic in the "WebSockets history" tab
* create a [POC](http://websocket.org/echo.html) to see if we can hijack a user’s WebSocket connection&#x20;

<figure><img src="https://1674729424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyzdFWSUijzVYOP1hAsit%2Fuploads%2FpiJDiFl3EcxLdlxoztrT%2Fimage.png?alt=media&#x26;token=179e71b7-307e-4e76-b261-7df60b5cd730" alt=""><figcaption><p>CSWSH POC website</p></figcaption></figure>

* log into the target application as if you are a legit user
* open a second tab in the same browser and attempt to create a web socket connection
* If the endpoint is vulnerable, we will be able to create a web socket connection for example using the user’s cookies

This requires a user to visit a malicious site while logged in to the vulnerable application.

The malicious site could then use the user's cookies to establish a web socket connection and send messages on behalf of the user.