Exploiting Client-Side Path Traversal. CSRF is Dead, Long Live CSRF

11/10/2024 : 14h30 - 15h15 | Showroom | Maxence Schmitt

To provide users with a safer browsing experience, the IETF proposal named “Incrementally Better Cookies” set in motion a few important changes to address Cross-Site Request Forgery (CSRF) and other client side issues. Soon after, Chrome and other major browsers implemented the recommended changes and introduced the SameSite attribute. SameSite helps mitigate CSRF, but does that mean CSRF is Dead?

While auditing major web applications, we realized that Client Side Path-Traversal (CSPT) can be actually leveraged to resuscitate CSRF for the joy of all pentesters. Listed in the Top 10 Web Hacking Techniques of 2022, Client Side Path-Traversal has been overlooked for years. While considered by many as a low-impact vulnerability, it can be actually used to force an end user to execute unwanted actions on a web application.

Once we have introduced the basics of Client Side Path Traversal, we will present sources and sinks for Cross Site Request Forgery. Software engineers will learn how to defend their applications against this new class of vulnerabilities, while security auditors will come back home with a set of tips and tricks to bring CSRF back in their reports. To demonstrate the impact and novelty of our discovery, we will showcase vulnerabilities in major web messaging applications, including Mattermost and Rocket.Chat among others. Finally, we will also release a Burp extension to help the discovery of Client-Side Path-Traversal sources and sinks.

Archi, Perf et Sécu