Cross-Site WebSocket Hijacking

Cross-Site WebSocket Hijacking (CSWSH)

The trap: the WebSocket handshake is an HTTP request that carries the victim's cookies, and the browser does not apply CORS to it — there's no preflight, no Access-Control-Allow-Origin check. So evil.example can open wss://target.example/ws in the victim's session. If the server authenticates by cookie alone and never checks Origin, the attacker gets a fully authenticated socket. Toggle the server's defenses and open the connection. All modeled.

Server defenses on target.example

Validate Origin header (allowlist) SameSite=Strict/Lax session cookie Per-connection auth token (not a cookie)

Attacker's code

const ws = new WebSocket(
  "wss://target.example/ws"
);
// browser auto-attaches target's
// cookies — no CORS, no preflight
ws.onmessage = (e) =>
  exfiltrate(e.data);

The handshake, step by step

· Open the socket to run the handshake.