TL;DR

  • CSWSH is CSRF on WebSocket handshakes.
  • If the handshake relies only on cookies, a malicious site can open a WS as the victim.
  • Impact includes unauthorized actions and data leakage over the socket.

What It Is

Cross-site WebSocket hijacking occurs when a WebSocket handshake accepts browser cookies without CSRF protection or origin validation. An attacker page can open a socket to the target and operate as the victim.

Indicators

  • The handshake uses cookie-based auth only.
  • No CSRF token or unpredictable parameter in the handshake.
  • Weak or missing Origin validation on the WS upgrade.

Example Handshake

GET /chat HTTP/1.1
Host: normal-website.com
Sec-WebSocket-Version: 13
Sec-WebSocket-Key: wDqumtseNBJdhkihL6PW7w==
Connection: keep-alive, Upgrade
Cookie: session=KOsEJNuflw4Rd9BDNrVmvwBF9rEijeE2
Upgrade: websocket

Test Checklist

  • Attempt WS upgrade from a different origin.
  • Verify whether Origin is enforced.
  • Confirm if cookies alone establish the session.
  • Observe if privileged actions/data flow over the socket.

Mitigations

  • Validate Origin for WS upgrades.
  • Require CSRF tokens or per-connection secrets.
  • Use short-lived tokens for WS auth.