JSONP Broadcast Auth Exploit

Proof-of-concept: Stealing private channel auth tokens via JSONP on /broadcasting/auth

Educational purposes only. This demonstrates CVE-like behavior in Laravel's PusherBroadcaster. The /broadcasting/auth endpoint accepts GET requests with a callback parameter, returning a JSONP response that can be loaded cross-origin via a <script> tag. With SameSite=Lax (default), this attack is blocked cross-origin in modern browsers. It succeeds when: same-site subdomains, SameSite=None, or older browsers.
{{-- Configuration --}}
{{-- Attack Stages --}}
1
Connect to Reverb WebSocket
Open a WebSocket connection to the target's Reverb server and obtain a socket_id.
2
Steal Auth Token via JSONP
Inject a <script> tag targeting /broadcasting/auth?callback=...&socket_id=.... If the victim's session cookie is sent, the server returns a JSONP response with the HMAC auth signature.
3
Subscribe to Private Channel
Send a pusher:subscribe message over the WebSocket using the stolen auth token to join the private channel without authorization.
{{-- Intercepted Messages --}}

Intercepted Private Channel Messages

No messages intercepted yet. Send a message from the dashboard after the attack succeeds.
{{-- Debug Log --}}

Attack Log