The target was a major bank’s customer support portal. They had a sleek, modern live chat feature powered by WebSockets. It felt responsive and secure. But during testing, I noticed the initial WebSocket connection didn’t use a typical Authorization header. My curiosity turned to shock when I realized the authentication mechanism was a simple, predictable token passed in the URL. By manipulating this token, I didn’t just hijack one chat — I gained the ability to connect to any active support session in real-time, listening in and even injecting messages. This breach of confidentiality led to a $6000 bounty.

free link

Why WebSockets Are a Unique Attack Surface

WebSockets provide full-duplex, persistent communication channels over a single TCP connection. This is great for real-time apps like chat, notifications, and trading platforms. But this persistence creates new risks:

• Custom Protocols: They often implement bespoke authentication and authorization logic, bypassing standard HTTP security controls.
• Statefulness: The connection is stateful. If you can…