Insecure WebSocket Communication leaks PII and why you should never ignore Burp’s WebSocket history tab

In modern web applications, real‑time communication channels such as WebSockets power dynamic user experiences — from live chat to event feeds. However, misconfigurations or inadequate access controls on these channels can lead to severe privacy breaches. In this write‑up, we analyze a vulnerability discovered within a financial portal’s WebSocket endpoint, which allowed unauthenticated clients to harvest arbitrary users’ personally identifiable information (PII), including email addresses and phone numbers.

Story of the hunt

One fine day, I was invited to a private program. I began with classic subdomain enumeration, since almost all subdomains were in scope. While reviewing the enumerated assets, one particular domain caught my attention. I decided to start testing on it, signing up and logging in to establish a valid session. Initially, I proceeded with standard tests, but then I had the idea of reviewing the Web Socket traffic within the burp’s history tab . That decision turned out to be crucial — the rest, as they say, is history.

NOTE: This vulnerability was caught just by mere observation of Burp’s Web Socket history tab (https://portswigger.net/burp/documentation/desktop/tools/proxy/websockets-history)but for clear understanding i will write a sample POC here so you all can learn. So now lets dive in !

POC

1. Connect via Proxy Tool ie Burp
2. After successfully logging in to the site , navigate to any page within the portal.
3. Open the WebSockets History tab in burp.
4. Observe Real‑Time Broadcasts.
5. Allow the connection to remain open for a short period to let background events accumulate. (This is crucial have some patience)
6. Inspect the captured WebSocket messages, which include entries. (They might contain PII in clear text if there is a misconfiguration)
7. In my case it was like this :[“list_update”, {
   “doctype”: “Activity Log”,
   “name”: “[REDACTED_PHONE]”,
   “user”: “[REDACTED_EMAIL]”
   }]

BOUNTY: 1,160 USD

I hope you all learned something new ,Thanks for reading.

Follow me on X : https://x.com/bunny_0417
Follow me on LinkedIn: https://www.linkedin.com/in/bunny0417/