CSRH (Client-Side Request Hijacking)

Definition

Client-side request hijacking vulnerabilities arise when attackers can trick the client-side JavaScript program into manipulating request-sending APIs with attacker-controlled inputs

It is a generalization of the CSRF (cross-site request forgery) issue that consider input validation problems.

If CSRH involves URL manipulation, it is basically a reflected XSS (cross site scripting). For example:

var params = (new URL(window.location)).searchParams;
var t = params.get("request");
if(t != null && t.length){
 // post message to opener
 opener && opener.postMessage("reauthPopupOpened", t);
 // listen for signal
 window.onmessage = function(){
   if (event.origin !== opener.origin) return;
   if (event.data === "sendRequest"){
   // top-level navigation request
   document.location.assign(t);}
  }
}

An attacker here can craft a malicious URL making a victim performing an unintended POST request. The victim has to click on the link, for example as part of a phishing attack

Risks

CSRF
information leakage: the attackers gain control over the endpoint of a request that contains sensitive information in its body
XSS (cross site scripting)
redirect attack

Mitigation

These types of request hijacking attacks could be mitigated by constraining request APIs with security policies. For example, using the CSP (Content Security Policy) connect-src directive

References

(Khodayari, Barber, et al., 2024)

GUI testing wiki

Explorer

CSRH (Client-Side Request Hijacking)

Definition

Risks

Mitigation

References

Graph View

Table of Contents

Backlinks