CSRF is dead, long live CSRF
To provide users with a safer browsing experience, the IETF proposal named “Incrementally Better Cookies” set in motion a few important changes to address Cross-Site Request Forgery (CSRF) and other client-side issues. Soon after, Chrome and other major browsers implemented the recommended changes and introduced the SameSite attribute. Security researchers may consider the applications implementing CSRF tokens and these protections to be safe from CSRF.
In this paper, I will cover how Client-Side Path Traversal (CSPT) can be exploited to perform CSRF (CSPT2CSRF) even when all industry best practices for CSRF protections are implemented. This work is the result of extensive research on CSPT and CSRF; theoretical as well as practical aspects will be discussed, together with a few vulnerabilities affecting major web products.
This technical whitepaper is being released together with a Burp Suite extension to help you find and exploit CSPT2CSRF.
Views: 12
