The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web
Soheil Khodayari, Thomas Barber, Giancarlo Pellegrino
IEEE Symposium on Security and Privacy 2024 · Day 1 · Continental Ballroom 4
This talk, "The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web," presented by Soheil Khodayari, Thomas Barber, and Giancarlo Pellegrino, delves into a critical evolution of web security threats. While **Cross-Site Request Forgery (CSRF)** has historically been a well-understood and largely mitigated server-side vulnerability, recent advancements in client-side technologies have paved the way for new attack vectors. The speakers highlight that attackers are no longer solely reliant on the "confused deputy" flaw of traditional CSRF but are now exploiting insufficient input validation in client-side JavaScript to hijack requests originating from the victim's browser. This paradigm shift broadens the scope of potential attacks beyond mere state changes to include information leakage, arbitrary code execution, and open redirections.
AI review
This exceptional research fundamentally redefines client-side web security, identifying a vast, previously unaddressed attack surface across 10 distinct browser APIs. Utilizing a novel hybrid static-dynamic analysis framework, the team uncovered widespread request hijacking vulnerabilities on nearly 10% of popular websites, demonstrating their severe impact and the critical failure of current defenses and developer input validation practices.