{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/praisonai-browser-server/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PraisonAI Browser Server"],"_cs_severities":["critical"],"_cs_tags":["praisonai","websocket","session-hijacking","vulnerability"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003ePraisonAI Browser Server versions 4.5.138 and below expose a critical vulnerability that allows unauthenticated WebSocket clients to hijack connected extension sessions. The \u003ccode\u003epraisonai browser start\u003c/code\u003e command, by default, binds the browser bridge to \u003ccode\u003e0.0.0.0\u003c/code\u003e, making it accessible to any network client. Critically, the \u003ccode\u003e/ws\u003c/code\u003e endpoint accepts WebSocket connections even when the \u003ccode\u003eOrigin\u003c/code\u003e header is omitted. This allows a malicious actor to connect to the bridge and send a \u003ccode\u003estart_session\u003c/code\u003e command. The server then forwards a \u003ccode\u003estart_automation\u003c/code\u003e message to another connected browser extension WebSocket, effectively hijacking the session. The attacker receives the resulting action/status stream, enabling unauthorized remote control of the browser automation session. This vulnerability was verified on praisonai version 4.5.134 at commit 365f75040f4e279736160f4b6bdb2bdb7a3968d4.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker connects to the PraisonAI Browser Server's \u003ccode\u003e/ws\u003c/code\u003e endpoint without providing an \u003ccode\u003eOrigin\u003c/code\u003e header in the WebSocket handshake. The server incorrectly accepts the connection due to insufficient origin validation.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003estart_session\u003c/code\u003e message to the server via the WebSocket connection, specifying parameters for a new automation session (e.g., goal, model, max_steps).\u003c/li\u003e\n\u003cli\u003eThe server searches for an idle WebSocket connection associated with a browser extension that is not currently in a session.\u003c/li\u003e\n\u003cli\u003eThe server forwards a \u003ccode\u003estart_automation\u003c/code\u003e message, containing the session ID and automation parameters, to the identified browser extension.\u003c/li\u003e\n\u003cli\u003eThe browser extension processes the \u003ccode\u003estart_automation\u003c/code\u003e message and begins executing the requested automation tasks.\u003c/li\u003e\n\u003cli\u003eThe browser extension sends an \u003ccode\u003eobservation\u003c/code\u003e message back to the server, containing details about the current state of the browser (e.g., URL, elements).\u003c/li\u003e\n\u003cli\u003eThe server broadcasts an \u003ccode\u003eaction\u003c/code\u003e message, containing the action to be performed by the browser extension, to all connected WebSockets associated with the same session ID, including the attacker's WebSocket.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the \u003ccode\u003eaction\u003c/code\u003e message, effectively gaining control over the browser automation session and access to sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to remotely control browser automation sessions managed by PraisonAI. This can lead to unauthorized browser actions, misuse of model-backed automation, and leakage of sensitive page context or automation results. The vulnerability impacts operators running \u003ccode\u003epraisonai browser start\u003c/code\u003e with the default host binding, users with active connected browser extension sessions, and environments where the bridge is reachable from other hosts on the network. This vulnerability affects PraisonAI versions up to and including 4.5.138.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the suggested remediations from the advisory including requiring explicit authentication for WebSocket clients, rejecting connections that omit the \u003ccode\u003eOrigin\u003c/code\u003e header, binding the bridge to \u003ccode\u003e127.0.0.1\u003c/code\u003e by default, and pairing controller and extension clients explicitly.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;PraisonAI Browser Server Unauthenticated WebSocket Connection\u0026quot; to detect connections to the PraisonAI Browser Server that lack an Origin header in the WebSocket handshake. This rule will help identify potential exploitation attempts (see rule below).\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of PraisonAI that addresses this vulnerability. Verify that the updated version includes proper authentication and origin validation mechanisms to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic to the PraisonAI Browser Server for suspicious activity, such as connections from unexpected sources or attempts to initiate automation sessions without proper authentication.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-praisonai-hijack/","summary":"PraisonAI Browser Server is vulnerable to unauthenticated WebSocket client hijacking due to exposing the browser bridge on 0.0.0.0 by default and accepting WebSocket clients that omit the Origin header, allowing unauthorized remote use of a connected browser automation session.","title":"PraisonAI Browser Server Unauthenticated Session Hijacking Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-09-praisonai-hijack/"}],"language":"en","title":"CraftedSignal Threat Feed - PraisonAI Browser Server","version":"https://jsonfeed.org/version/1.1"}