ClawJacked: Exploiting WebSockets to Hijack Local OpenClaw AI Agents

The rapid adoption of local Large Language Models (LLMs) and AI agents has introduced a new attack surface that many organizations are ill-prepared to defend. While we often focus on cloud-based model poisoning or prompt injection, a recently disclosed vulnerability dubbed "ClawJacked" reminds us that the infrastructure running these models is just as critical.

OpenClaw, a popular platform for running local AI agents, recently patched a high-severity flaw that allowed malicious websites to bridge the gap between the public internet and your local machine. By leveraging the OpenClaw gateway’s WebSocket interface, an attacker could remotely hijack a local agent, executing commands and exfiltrating data directly from a victim's browser.

The Vulnerability: A Core System Failure

What makes the ClawJacked flaw particularly concerning is its origin. Unlike many vulnerabilities that stem from third-party plugins or community extensions, this issue resides in the core OpenClaw gateway system. As the researcher "Oasis" noted, the vulnerability exists in the bare-bones installation—exactly as documented and running out-of-the-box.

The Attack Vector: DNS Rebinding & WebSocket Hijacking

The technical mechanics of ClawJacked rely on the browser's Same-Origin Policy being circumvented, likely via a DNS rebinding attack.

1. The Hook: A user visits a seemingly benign malicious website.
2. The Rebind: The site controls a DNS domain that rapidly switches its IP address. Initially, it resolves to the attacker's server (serving the malicious JS). Then, it switches to a loopback address (e.g., 127.0.0.1).
3. The WebSocket Connection: The malicious JavaScript, running in the victim's browser context, initiates a WebSocket connection to the domain. Because the browser now believes the domain resolves to 127.0.0.1, it permits the connection to the local OpenClaw gateway.
4. The Hijack: Once the WebSocket is established, the attacker can send JSON-RPC or control messages directly to the AI agent. Since the agent trusts the local connection, it executes the commands, potentially allowing the attacker to read sensitive local files, execute system commands, or scrape the agent's memory.

This effectively turns the user's browser into a proxy server, bypassing firewalls and NAT configurations to reach the internal AI service.

Detection and Threat Hunting

Defending against this type of local proxy attack requires monitoring for suspicious outbound connections from browsers to local interfaces, as well as unexpected WebSocket traffic.

KQL Query for Microsoft Sentinel/Defender

Use this query to hunt for browsers initiating WebSocket connections to local loopback addresses. Note that 127.0.0.1 is the primary target, but link-local addresses like 127.0.0.1 or [::1] are also relevant.

DeviceNetworkEvents
| where Timestamp > ago(7d)
// Filter for known browser processes
| where InitiatingProcessName in ~("chrome.exe", "msedge.exe", "firefox.exe", "brave.exe")
// Filter for connections to loopback interfaces
| where RemoteIP has_prefix("127.") or RemoteIP has_prefix("::1")
// WebSocket upgrades or unusual high ports often used by local gateways
| where RemotePort in (8080, 8000, 5000, 3000, 1337) or NetworkProtocol == "WebSocket"
| project Timestamp, DeviceName, InitiatingProcessName, RemoteIP, RemotePort, Direction
| summarize count() by DeviceName, RemoteIP, RemotePort, InitiatingProcessName
| order by count_ desc

Bash Script for Linux Local Auditing

For security teams managing Linux workstations running OpenClaw, this script scans for open WebSocket ports on the loopback interface and identifies the associated process.

#!/bin/bash

echo "Scanning for listening WebSocket/HTTP services on loopback..."

# Common OpenClaw and AI agent ports
PORTS=(8080 8000 5000 3000 1337 11434)

for port in "${PORTS[@]}"; do
  # Check if port is listening
  if ss -ltn | grep -q ":$port "; then
    echo "[!] Potential service found on port $port"
    # Get PID
    PID=$(ss -ltnp | grep ":$port " | awk '{print $7}' | cut -d',' -f2 | cut -d'=' -f2)
    if [ ! -z "$PID" ]; then
      echo "    Process details:"
      ps -p "$PID" -o pid,ppid,cmd
    fi
  fi
done

Python Validation Script

This Python script can be used by analysts to test if a local OpenClaw instance accepts WebSocket connections without strict Origin header validation (a simulation of the vulnerability check).

import asyncio
import websockets
import sys

async def check_origin_vulnerability(uri):
    print(f"[*] Testing connection to {uri}...")
    try:
        # Attempt connection with a malicious Origin header
        extra_headers = {"Origin": "http://malicious-site.com"}
        async with websockets.connect(uri, extra_headers=extra_headers) as websocket:
            print("[!] Connection accepted! The server may be vulnerable to ClawJacked.")
            response = await websocket.recv()
            print(f"[+] Server Response: {response}")
    except websockets.exceptions.InvalidStatusCode as e:
        if e.status_code == 403:
            print("[+] Connection refused (403). Origin validation appears active.")
        else:
            print(f"[?] Unexpected status code: {e}")
    except Exception as e:
        print(f"[-] Connection failed or timed out: {e}")

if __name__ == "__main__":
    # Default OpenClaw port might vary, adjust as necessary
    target_uri = "ws://127.0.0.1:8080"
    asyncio.run(check_origin_vulnerability(target_uri))

Mitigation Strategies

To protect your organization from ClawJacked and similar local proxy attacks, implement the following measures immediately:

1. Patch Immediately: Ensure the latest version of OpenClaw is deployed across all endpoints. The vendor has released a fix addressing the insufficient Origin validation.

2. Network Segmentation: Where possible, configure local AI agents to bind to specific internal interfaces rather than all interfaces (0.0.0.0), though this is difficult for localhost-dependent agents.

3. Browser Hardening: Deploy DNS rebinding protection via enterprise browser policies or network-level DNS resolvers (like dnsmasq with specific rebind-protect options).

4. Disallow Local Origins: Configure the OpenClaw gateway to explicitly reject connections where the Origin header is not null, localhost, or an approved internal domain.

The ClawJacked flaw serves as a stark reminder: as we move intelligence to the edge, our security perimeter must move with it. The browser is no longer just a window to the web; it is a potential bridge to your local infrastructure.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub