CISPA
Browse
cispa_all_4056.pdf (901.3 kB)

The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web

Download (901.3 kB)
conference contribution
posted on 2024-03-05, 12:22 authored by Soheil KhodayariSoheil Khodayari, Barber, Thomas, Giancarlo PellegrinoGiancarlo Pellegrino
Request forgery attacks are among the oldest threats to Web applications, traditionally caused by server-side confused deputy vulnerabilities. However, recent advancements in client-side technologies have introduced more subtle variants of request forgery, where attackers exploit input validation flaws in client-side programs to hijack outgoing requests. We have little-to-no information about these client-side variants, their prevalence, impact, and countermeasures, and in this paper we undertake one of the first evaluations of the state of client-side request hijacking on the Web platform. Starting with a comprehensive review of browser API capabilities and Web specifications, we systematize request hijacking vulnerabilities and the resulting attacks, identifying 10 distinct vulnerability variants, including seven new ones. Then, we use our systematization to design and implement Sheriff, a static-dynamic tool that detects vulnerable data flows from attacker-controllable inputs to request-sending instructions. We instantiate Sheriff on the top of the Tranco top 10K sites, performing, to our knowledge, the first investigation into the prevalence of request hijacking flaws in the wild. Our study uncovers that request hijacking vulnerabilities are ubiquitous, affecting 9.6% of the top 10K sites. We demonstrate the impact of these vulnerabilities by constructing 67 proof-of-concept exploits across 49 sites, making it possible to mount arbitrary code execution, information leakage, open redirections and CSRF also against popular websites like Microsoft Azure, Starz, Reddit, and Indeed. Finally, we review and evaluate the adoption and efficacy of existing countermeasures against client-side request hijacking attacks, including browser-based solutions like CSP, COOP and COEP, and input validation.

History

Preferred Citation

Soheil Khodayari, Thomas Barber, Giancarlo Pellegrino. The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web. In: Proceedings of 45th IEEE Symposium on Security and Privacy. 2023.

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

IEEE Symposium on Security and Privacy Workshops (SPW)

Legacy Posted Date

2023-12-15

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_4056, author = {Soheil Khodayari AND Thomas Barber AND Giancarlo Pellegrino}, title = {The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web}, booktitle = {Proceedings of 45th IEEE Symposium on Security and Privacy}, year = {2023} }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC