Send email Copy Email Address

Annabelle Theobald

It's all about who's asking

At the renowned USENIX Security Symposium, CISPA researcher Soheil Khodayari presented the JAW analysis tool, which he is using to learn more about a new type of attack on the Web.

If a post suddenly appears in your Facebook account that you did not write yourself, or if your firewall or router settings have been changed without your own intervention, then you have probably fallen victim to a so-called cross-site request forgery attack (CSRF attack for short, pronounced seasurf attack). Such attacks have been known for decades and can now be well defended against in their traditional form by various security measures. In 2018, however, a new variant of the attack method has emerged, about which little is known so far. To change that, CISPA researcher Soheil Khodayari has developed JAW, a new analysis tool that can be used to examine websites for their susceptibility to the new type of attack. In addition, Khodayari, who conducts research at CISPA in Giancarlo Pellegrino's group, was able to show in his paper "JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals" that more than three-quarters of the websites he studied had vulnerabilities that enabled the attacks. He presented his work at the prestigious USENIX Security Symposium.

CSRF is a method of attacking websites in which attackers masquerade as trusted users and perform unwanted actions in the web applications of real users. To understand how these attacks work - of which there are several types - it helps to first take a closer look at how "surfing" on the Internet actually works.

The fact that we can move around the digital world so easily today has a lot to do with the development of the World Wide Web, probably the best-known Internet service, in the 1990s. In principle, the WWW includes everything that can be called up using web browsers such as Google Chrome or Mozilla Firefox and makes up only a part of the Internet - but it is often mistakenly equated with it. The Web allows us to exchange digital data worldwide and display text, sound, image and video files of all kinds.

Internet services such as the WWW are based on the so-called client-server model. Whenever data is transferred between two computers on the network, one must provide the services and respond to requests (server), while the other sends the requests and processes the server's responses (client). For example, the client may request the server to send web pages or e-mails. The client and server communicate using the HTTP protocol, which specifies exactly how the client must formulate its request and how the server must respond. Requests from the client to the server are therefore also called HTTP requests.

In traditional CSRF attacks, attackers try to get users' web browsers to execute HTTP requests that they have manipulated and thus perform malicious actions on a website, Khodayari explains. To do this, users must be logged into the attack's target site. A function used by many services for the convenience of users, is in turn also very helpful to the attackers.

If users have logged into a platform such as an online store, they remain logged in for the duration of a session. How long these sessions are depends on the service in question. While banks usually limit their sessions to a few minutes for security reasons, social networks and online stores often allow their visitors to log in for days without having to enter their passwords again. If attackers manage to lure users to a website they control during this time and have them click on a button, for example, this can trigger the sending of a manipulated HTTP request to the web server of the online store and - often unnoticed by the user for a long time - execute unwanted actions. The attackers only need to know how the HTTP request expected by the server should be formulated - which is not too difficult to read. The server does not control where exactly the request comes from.

The so-called client-side CSRF, which Khodayari is dealing with, is a new variant of this vulnerability. Attackers trick the JavaScript program on the client's side – which is running in the user`s browser - rather than the web server, and can use it to send bogus HTTP requests to a vulnerable target site. "Our goal was to find out how common the vulnerabilities are that enable such attacks and to understand the different attack models," said Khodayari, who is a native of Iran. He also says it has not been clear to what extent the attackers can control HTTP requests.  "To be able to figure that out, we need to analyze JavaScript programs. However, that's not easy to do with current analysis methods." Static code analysis, in which researchers only look at the source code, is challenging with JavaScript programs because of their dynamic nature. Therefore, the researchers needed a hybrid analysis model with dynamic portions that would also allow them to examine the program's behavior during its runtime.

To that end, Khodayari developed the JAW analysis tool. He then used it to examine 106 Web applications and a total of about 228 million lines of JavaScript code to assess the prevalence of client-side CSRF vulnerabilities. In 87 of the 106 web applications, he found 12,701 forgeable HTTP requests using the tool. For 203 of these, they were also able to demonstrate how these vulnerabilities could be exploited. This has shown that client-side CSRF opens up additional attack vectors beyond traditional methods. To support further research for studying vulnerabilities of JavaScript programs, Khodayari has published the source code of JAW.

Translated by Tobias Ebelshäuser