cispa_all_3361.pdf (1.04 MB)

JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals

Download (1.04 MB)
conference contribution
posted on 2023-11-29, 18:16 authored by Soheil KhodayariSoheil Khodayari, Giancarlo PellegrinoGiancarlo Pellegrino
Client-side CSRF is a new type of CSRF vulnerability where the adversary can trick the client-side JavaScript program to send a forged HTTP request to a vulnerable target site by modifying the program’s input parameters. We have little to-no knowledge of this new vulnerability, and exploratory security evaluations of JavaScript-based web applications are impeded by the scarcity of reliable and scalable testing techniques. This paper presents JAW, a framework that enables the analysis of modern web applications against client-side CSRF leveraging declarative traversals on hybrid property graphs, a canonical, hybrid model for JavaScript programs. We use JAW to evaluate the prevalence of client-side CSRF vulnerabilities among all (ie, 106) web applications from the Bitnami catalog, covering over 228M lines of JavaScript code. Our approach uncovers 12,701 forgeable client-side requests affecting 87 web applications in total. For 203 forgeable requests, we successfully created client-side CSRF exploits against seven web applications that can execute arbitrary server-side state-changing operations or enable cross-site scripting and SQL injection, that are not reachable via the classical attack vectors. Finally, we analyzed the forgeable requests and identified 25 request templates, highlighting the fields that can be manipulated and the type of manipulation.


Preferred Citation

Soheil Khodayari and Giancarlo Pellegrino. JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals. In: Usenix Security Symposium (USENIX-Security). 2021.

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

Usenix Security Symposium (USENIX-Security)

Legacy Posted Date


Open Access Type

  • Gold


@inproceedings{cispa_all_3361, title = "JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals", author = "Khodayari, Soheil and Pellegrino, Giancarlo", booktitle="{Usenix Security Symposium (USENIX-Security)}", year="2021", }

Usage metrics


    No categories selected


    Ref. manager