Traccar Cross-Site WebSocket Hijacking Vulnerability

A Cross-Site WebSocket Hijacking (CSWSH) vulnerability has been identified in the Traccar open-source GPS tracking system, affecting versions through 6.11.1. The vulnerability resides in the '/api/socket' endpoint, where the application fails to properly validate the 'Origin' header during the WebSocket handshake. This oversight allows remote attackers to bypass the Same Origin Policy and establish a WebSocket connection using a legitimate user's credentials, specifically the JSESSIONID. Consequently, attackers can access real-time location data and sensitive device information from the victim.

Impact

Exploitation of this vulnerability leads to unauthorized access to a user's WebSocket stream, allowing attackers to intercept live tracking data and sensitive device metadata. This not only violates user privacy but also undermines the application's access control mechanisms.

Reproduction

To reproduce this vulnerability, log into the Traccar application to obtain a valid JSESSIONID. Then, initiate a WebSocket connection to the '/api/socket' endpoint. Use an interception proxy, such as Burp Suite, to modify the 'Origin' header, replacing it with an arbitrary external domain. After forwarding the request, the server will accept the connection and begin streaming sensitive location data to the attacker.

Remediation

To address this vulnerability, Traccar should implement strict origin validation during the WebSocket handshake. This involves inspecting the 'Origin' header, comparing it against a allowlist of trusted domains, and rejecting connections from untrusted origins.