On Location With Sean Martin And Marco Ciappelli

In the Same Site We Trust: Navigating the Landscape of Client-side Request Hijacking on the Web | An OWASP AppSec Global Lisbon 2024 Conversation with Soheil Khodayari | On Location Coverage with Sean Martin and Marco Ciappelli

Episode Summary

Join Sean Martin as he dives into the evolving landscape of web security with Soheil Khodayari, a leading security researcher, as they discuss the intricacies of request forgery attacks and the innovative defenses against them. Discover key insights and practical advice ahead of Soheil's session at OWASP Global AppSec in Lisbon, and learn how to safeguard your applications from sophisticated client-side vulnerabilities.

Episode Notes

Guest: Soheil Khodayari, Security Researcher, CISPA - Helmholtz Center for Information Security [@CISPA]

On LinkedIn | https://www.linkedin.com/in/soheilkhodayari/

On Twitter | https://x.com/Soheil__K

____________________________

Hosts: 

Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/sean-martin

Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli

____________________________

Episode Notes

In this episode of On Location with Sean and Marco, co-host Sean Martin embarks on a solo journey to cover the OWASP AppSec Global event in Lisbon. Sean welcomes Soheil Khodayari, a security researcher at the CISPA Helmholtz Center for Information Security in Saarland, Germany, to discuss the intricacies of web security, particularly focusing on request forgery attacks.

They dive into Soheil’s background, noting his extensive research in web security and privacy, with interests spanning vulnerability detection, internet measurements, browser security, and new testing techniques. Soheil aims to share valuable insights on request forgery attacks, a prevalent issue in web security that continues to challenge developers and security professionals alike.

The conversation transitions to an in-depth exploration of client-side request forgery and how these attacks differ from traditional cross-site request forgery (CSRF). Soheil elaborates on the evolution of web applications and how shifting functionalities to client-side code has introduced new, complex vulnerabilities. He identifies the critical role of input validation and the resurgence of issues related to improper handling of user inputs, which attackers can exploit to cause unintended actions on authenticated sessions.

As they prepare for the upcoming OWASP Global AppSec event, Soheil highlights his session, titled "In the Same Site We Trust: Navigating the Landscape of Client-Side Request Hijacking on the Web," scheduled for Thursday, June 27th. He emphasizes the relevance of the session for developers and security professionals who are eager to learn about modern request hijacking techniques, defense mechanisms, and how to detect these vulnerabilities using automated tools.

The discussion touches on the landscape of modern browsers, the effectiveness of same-site cookies as a defense-in-depth strategy, and the limitations of these measures in preventing client-side CSRF attacks. Soheil mentions the development of a vulnerability detection tool designed to mitigate these sophisticated threats and invites attendees to integrate such tools into their CI/CD pipelines for enhanced security.

Sean and Soheil ultimately reflect on the importance of understanding the nuances of web application security. They encourage listeners to attend the session, engage with the community, and explore advanced security practices to safeguard their applications against evolving threats. This engaging episode sets the stage for a deep dive into the technical aspects of web security at the OWASP Global AppSec event.

Top Questions Addressed

Be sure to follow our Coverage Journey and subscribe to our podcasts!

____________________________

Follow our OWASP AppSec Global Lisbon 2024 coverage: https://www.itspmagazine.com/owasp-global-2024-lisbon-application-security-event-coverage-in-portugal

On YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllTzdBL4GGWZ_x-B1ifPIIBV

Be sure to share and subscribe!

____________________________

Resources

In the Same Site We Trust: Navigating the Landscape of Client-side Request Hijacking on the Web (Session): https://owaspglobalappseclisbon2024.sched.com/event/1VdAy/in-the-same-site-we-trust-navigating-the-landscape-of-client-side-request-hijacking-on-the-web

Learn more about OWASP AppSec Global Lisbon 2024: https://lisbon.globalappsec.org/

____________________________

Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage

To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast

To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast

Are you interested in sponsoring our event coverage with an ad placement in the podcast?

Learn More 👉 https://itspm.ag/podadplc

Want to tell your Brand Story as part of our event coverage?

Learn More 👉 https://itspm.ag/evtcovbrf

Episode Transcription

In the Same Site We Trust: Navigating the Landscape of Client-side Request Hijacking on the Web | An OWASP AppSec Global Lisbon 2024 Conversation with Soheil Khodayari | On Location Coverage with Sean Martin and Marco Ciappelli

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

Sean Martin: [00:00:00] And hello everybody. You're very welcome to a new episode of On Location here with Sean and Marco. And you might be wondering where Marco is. He's not here, uh, for a couple of reasons. One, I love AppSec. Marco, not so much. And, uh, two, this is a technical conversation and he tends to, uh, leave me to do those as well. 
 

So, uh, here I am flying solo. We're covering the OOS AppSec global event in Lisbon, which is in a couple of weeks. And I Picked a few topics that, uh, that caught my attention and, uh, some speakers that caught my attention. And so hail is one of those. So hail, thanks for joining me.  
 

Soheil Khodayari: Um, so Hey everyone. Thank you so much for having me and thank you, uh, seen for, uh, having this chat with me. 
 

So it's great to be here with you. So yeah. Yeah, maybe, um, let me introduce myself, the background about me. So I'm Sohail, I'm, uh, a security researcher at [00:01:00] CISPA, um, Center for Information Security here in Saarland, Germany, where I've been working for the past couple of years, uh, doing my PhD here. Um, so my research interests lie in the intersection of web security and privacy, particularly vulnerability detection, larger scale internet measurements, browser security, um, creating new testing techniques and tools. 
 

And I love exploring new attack ideas and inside channels, let's say, um, on the web platform. So I'm delighted to be here on the ITSB Magazine podcast for OWASP and hopefully share some useful insights and takeaways, uh, about request forgery attacks, uh, with, uh, everybody.  
 

Sean Martin: Yes. Uh, thrilled, thrilled to have you on Soheil. 
 

And, uh, yeah, it's, it's, uh, It's stunning that, uh, Request Forgery attacks still exist. Yes. Still, uh, I guess, uh, I guess I shouldn't be surprised. I mean, new, new [00:02:00] people join and new code is written and new, uh, vulnerabilities. Yes. Surface, even if they're, uh, The same method or model, uh, vulnerability from the past. 
 

Um, maybe, maybe let's start there actually. Well, so this is, let me say this first. So Thursday, the 27th of June, 3. 30, you have a session that's called in the same site we trust navigating the landscape of client side request hijacking on the web. And that's the session I wanted to, uh, dig into. And then the topic I wanted to explore with you. 
 

So I think maybe a good place to start is kind of the history of, I always, I tend to, I want to put the C in front of it because it doesn't have to have a C, CS, the cross site, but request forgery attacks. Can you give us a kind of a history of, of those and how they've evolved?  
 

Soheil Khodayari: Absolutely. Yeah. So, um, if you think about a web application, like the accept and process, like Plutoroff user inputs, right? 
 

And these inputs. Uh, come from like [00:03:00] different parties, right? You go to a website, you fill a form, um, submit the form, and there is a request from the same site to the back end of that site, but applications also accept requests by a third party. Uh, uh, endpoints, low, for example, uh, payment, uh, gateways, uh, uh, social media integrations, all those other external services that are custom to each, uh, uh, application and their business logic, right? 
 

So we have like first party inputs and third party inputs that are going to applications. And how do applications know which parties to trust, which requests are, let's say, trusted, which ones are not? Well, back in the days, we decided that, okay, let's use authentication and authorization to, to solve this problem. 
 

So we authenticate users browsers via account credentials, username and passwords, uh, to say that, okay, this [00:04:00] request is coming from this user. Trust that party from this specific user, or we created like, uh, API keys, uh, authorization tokens for like, uh, service to service, like, uh, integrations. And it seems back then that if we can just reject untrusted requests, uh, problem is solved. 
 

Well, it turned out 20 years ago, not because attackers can, um, abuse trusted requests to cause unintended, let's say changes. So imagine that you go to your banking, uh, site, you log in with your account. And then in another tab of your browser, you open a page that you don't know at the time is an attack page. 
 

And that page can send a request to your banking, uh, site. And if your banking site is vulnerable, this can easily lead to an illicit money transfer or any other, let's say, damage, uh, to you. [00:05:00] And here, the application is, uh, uh, abusing, um, uh, the fact that your browser is, uh, trusted, is authenticated within the banking application, and it can send cross site requests, requests from the attacker's domain to the banking domain. 
 

So they are across two sites. And that's why back in the days, this class of attacks were called cross site request forgery or shortly CSIRF. And, um, hopefully nowadays we know how to defend against these attacks. There are a plethora of robust defenses, uh, to mitigate these attacks. Uh, so for example, anti forgery tokens, you can just add One nuns or, uh, non guessable token to the request and the attacker cannot reliably reconstruct the request because they cannot guess the token. 
 

So the defense is actually very, uh, simple. But what happened was that, um, as applications evolved, [00:06:00] they uh, shifted. Many of the functionalities to the client side code. So, uh, we have like applications like out of Photoshop completely running in your, uh, browser. Uh, many of these applications like Google docs, uh, lots of like client side code. 
 

So, uh, Um, this recent approach to client side task offloading actually introduced, um, like many more, uh, complex, let's say, vulnerabilities.  
 

Sean Martin: Um, Can you describe, describe one or, or two or whatever, not, don't get anything away from this session, but, uh, absolutely. Yeah, something that's kind of paint a picture for us. 
 

Soheil Khodayari: Yeah, absolutely. So crystat is scripting, uh, vulnerabilities. So now we are, um, we have the problem of input validation again. So before, um, the problem I described, the root cause. was somehow called confused deputy because, um, the browser is tricked into sending an authenticator request, uh, but it's not the user intention. 
 

So it was an unintended request and that's called [00:07:00] confused deputy flow. But now, uh, when we shift the client side, when we shift the functionality to client side, we, uh, are, um, run into essentially input validation flaws. So you take some input from the user, um, and the clients and you don't validate it, but you. 
 

somehow executed, interpreted as code. And this leads to arbitrary code execution, essentially, which is worse than like, um, somehow only cross site request forgery before, because now attacker can execute any code. It can send requests. Um, um, so now we have these requests, uh, that are created essentially in, in the client side, um, um, and sent, uh, via the client side JavaScript code. 
 

And in the same side, we trust that the talk that we're having is essentially how you can, uh, abuse or leverage these, uh, same side requests to cause, uh, [00:08:00] CSRF attacks that normally you should not be able to do because of like robust countermeasures that we have. But what if we abuse the same site requests that are generated by the client side code? 
 

So that's more or less, uh, let's say, uh, how the attack works and, um, uh, how it correlates to, to the early days. Uh, of the CSRF.  
 

Sean Martin: Nice. The, um, I, I can't help, but, uh, you have a picture behind you on your whiteboard. Is that JavaScript jumping the shark or did I miss?  
 

Soheil Khodayari: Yes, yes, exactly. So this is actually, um, uh, logo of the first version of the tool that we created to detect these attacks called client side CSRF. 
 

So now we have CSRF and like back in the days, maybe five years ago, we came up with the term like client side C SERV, particularly because of the vulnerability that affected Facebook, let's say in [00:09:00] 2018, they called it client side C SERV. So we just adopted the term like, um, uh, from the, uh, post. And, um, yeah, back then we focused only on like client side C SERV, which is one variant. 
 

But recently we focused on like other types of requests that the browser can, can send. So browsers can send WebSocket connections. So you have this full duplex, like bi directional channels. You have service and events, uh, synchronous requests. So there are a plethora of requests. types of requests that the browser can can send, um, not just like asynchronous ones like the one of client side C SERV. 
 

Um, and then we came up with the term request hijacking, meaning if you can control the requests the application is is doing normally and somehow hijack it to your advantage, uh, to cause like damage.  
 

Sean Martin: Yeah, and of course, uh, Yeah, I was talking to Jim Manico the other day and one of the things we [00:10:00] touched on was it, it's not just manipulating code necessarily to do something, you can, you can mess with the logic of the application, so. 
 

And then the data, right? So the data no longer has integrity in and out and, uh, exactly. Tons, tons of fun stuff to consider there. I, I want to, um, where was I gonna go? The, I guess the, the question I had, I know there's been a lot of investment in the development in the, the browser technologies. Right. And a lot of the. 
 

A lot of browsers using a lot of the same shared services, but what's the state of the browsers? Are they all kind of equally vulnerable to these types of attacks or what's going on there? Absolutely.  
 

Soheil Khodayari: So browsers, um, actually this is, uh, so in this particular attack, like in the client side variant, browsers, So it's mostly the flow of the application that is not validating input.[00:11:00]  
 

In the traditional CISR 1, actually, browser was the party that was tricked into, like, making the request and browsers since then, like, uh, created, like, defense in depth solutions for applications, um, called same site cookies. So which, uh, essentially restricts the cookies or these, uh, authentication, uh, tokens of, uh, let's say the, um, uh, website to the same request context. 
 

So they do not submit the cookies, um, in cross site request context by default, by a strict dose. And this will fix, um, most classes of, let's say, uh, CSERF attacks, um, including definitely the traditional ones. Um, but this won't mitigate, uh, client side, uh, CSERF because it's essentially abusing same side requests, not cross side requests. 
 

So those are legitimate requests that contain anti CSERV tokens, random tokens that the applications [00:12:00] have. Um, they are same set requests, so same set cookies will not essentially impact them. And these are because of the application flaws. So application takes some input from, I don't know, URL and they just, uh, use it, um, for instance, as the endpoint to which the asynchronous request is submitted. 
 

Um, and this request can have, for instance, sensitive information, right? So if an attacker sends this request now to his own domain, they can hijack sensitive information included in the request. So the consequence is not any more, um, on the application, but this can also be on the user because the private data belongs to the user. 
 

So it's much more, um, the impact is much more, let's say, diverse, uh, and consequential, let's say, so to say. And actually the figure that you see behind me, I forgot to say it. So this is the logo of a vulnerability detection tool we created called JA, JavaScript [00:13:00] Analysis Framework. And this is what I'm going to talk about also at the end. 
 

Not this version, but follow up versions that is able to detect request hijacking vulnerabilities.  
 

Sean Martin: Nice one. So let's, let's, uh, let's wrap Swahil with, um, kind of an overview of the, of the session. Um, because my, my guess is, is that, Engineers might make some assumptions around cross site scripting and, and, and client side and not really understand the nuances of the same site stuff that you're going to be presenting. 
 

So talk to me about how the session is going to go, who should be there. I presume any developers at the conference would be interested in this, but, um, how detailed and, and, uh, down and dirty are you to get in the session?  
 

Soheil Khodayari: So I think the talk will be, um, appropriate for all audience levels, because I always start from like very basic, like concepts [00:14:00] that is. 
 

Easy, understandable for everybody. But of course it will be most beneficial to developers and, uh, uh, security professionals who want to learn more about request hijacking, how to defend their applications against these class of attacks, uh, checking if they are vulnerable, learning how to use our, uh, automated vulnerability detection tool. 
 

Hopefully integrated in their CI CD pipelines and so on. Um, but, uh, on the other hand, it will also be, um, I think good for, like, people that are, like, totally beginners to, to learn about these, like, new class of attacks and get yourself, like, familiar with, uh, um, with the evolving landscape of, let's say, request forgery attacks. 
 

Sean Martin: Evolving landscape. You sound like AI either. Every prompt responds to the evolving landscape.  
 

Soheil Khodayari: I mean, this is, yes. I think that the, the, um, request forgery, uh, I [00:15:00] think landscapes, absolutely evolving, right? Because the complexity of applications are rising, particularly the client side code. So, uh, we have all these types of like requests and, um, yeah, the client side complex, uh, complexity is only evolving. 
 

So thereby the request forgery, uh, vulnerabilities in the client side. 
 

Sean Martin: Tons of stuff to consider. Uh, you can start by attending the session in the same site. We trust navigating the landscape of client side request hijacking on the web. That's Thursday, the 27th OWASP Global AppSec in Lisbon. So he'll thanks for, uh, for taking the time to share with me today. Congratulations on getting that spot to speak at OWASP in Lisbon. 
 

I look forward to meeting you in person.  
 

Soheil Khodayari: Sure. Yeah, of course. Uh, thank you so much for having me and thanks for this great and interesting chat. So, um, see you in Lisbon and, um, yeah, hope to talk to lots of you, um, in [00:16:00] person in, uh, Lisbon.  
 

Sean Martin: Exactly, exactly. So anybody who's, uh. Building web apps, uh, go, go connect with Soheil, attend a session and, uh, start a conversation and hopefully I'll see you all there as well. 
 

And, uh, thanks everybody for listening and watching, if you're watching this. And, uh, please stay tuned. There's more coming to you on location, even if there's chats on the road like this one, uh, ahead of time, uh, from OWASP, AppSec Global in Lisbon. Thanks everybody. Thank you.