VULNERABILITY DETAILS
CORS by default is disabled in chrome, that makes it harder for attackers to get data(cookies and user info) from an website which is vulnerable to XSS without knowledge of user (typically it would open a new tab and send data as query params),One way to avoid that would be to use Ajax calls but CORS would block that. CORS blocks only Ajax calls but not websocket calls, I was successfully able to key-log on the affected page/website and send data to my remote server via websocket (Which was not possible by ajax calls because CORS would block it nor by opening new tabs as it would need to keep opening tabs for each input).
So the vulnerability allows attacker to steal data without user noticing it.
This attack would be disastrous on websites where stored XSS is possible.
 
VERSION
Chrome Version: 59.0.3071.86 (Official Build) (64-bit)
Operating System: [Ubuntu, 16.04]

REPRODUCTION CASE
1.Unzip the attached file.
2.$ cd /path/to/unzipped/server
3.$ python -m SimpleHTTPServer
4. open new terminal and
  cd /path/to/unzipped/attacker
5.$ python3 stream.py
6.open chrome and go to the website we hosted in step 3
7.copy contents of /path/to/unzipped/attacker/payload.txt
8.paste it to the textarea 
9.change the ip of websocket connection to point to the attacker
10.click update
11.Now the keys you type are streamed to the attacker (open terminal from step5 to check)


This is a vulnerability showing the bypassing of CORS being disabled by chrome
the same would not have been possible before, unless you are using this technique
To patch this i think that CORS checking can also be done in websocket calls and block it if it points to different domain.

I couldn't check this vulnerability in other versions of chrome, but i am positive that this works in all other versions

Regards
Shiva
ph : +918883440958 

 

Deleted: websocket_hack.zip 83.5 KB

websocket_hack.zip 83.5 KB Download