Skip to content

Client Side Path Traversal

Client-Side Path Traversal (CSPT), sometimes also referred to as "On-site Request Forgery," is a vulnerability that can be exploited as a tool for CSRF or XSS attacks.
It takes advantage of the client side's ability to make requests using fetch to a URL, where multiple "../" characters can be injected. After normalization, these characters redirect the request to a different URL, potentially leading to security breaches.
Since every request is initiated from within the frontend of the application, the browser automatically includes cookies and other authentication mechanisms, making them available for exploitation in these attacks.

Tools

CSPT to XSS

A post-serving page calls the fetch function, sending a request to a URL with attacker-controlled input which is not properly encoded in its path, allowing the attacker to inject ../ sequences to the path and make the request get sent to an arbitrary endpoint. This behavior is refered to as a CSPT vulnerability.

Example:

  • The page https://example.com/static/cms/news.html takes a newsitemid as parameter
  • Then fetch the content of https://example.com/newitems/<newsitemid>
  • A text injection was also discovered in https://example.com/pricing/default.js via the cb parameter
  • Final payload is https://example.com/static/cms/news.html?newsitemid=../pricing/default.js?cb=alert(document.domain)//

CSPT to CSRF

A CSPT is redirecting legitimate HTTP requests, allowing the front end to add necessary tokens for API calls, such as authentication or CSRF tokens. This capability can potentially be exploited to circumvent existing CSRF protection measures.

CSRF CSPT2CSRF
POST CSRF ? ✅ ✅
Can control the body ? ✅ ❌
Can work with anti-CSRF token ? ❌ ✅
Can work with Samesite=Lax ? ❌ ✅
GET / PATCH / PUT / DELETE CSRF ? ❌ ✅
1-click CSRF ? ❌ ✅
Does impact depend on source and on sinks ? ❌ ✅

Real-World Scenarios:

  • 1-click CSPT2CSRF in Rocket.Chat
  • CVE-2023-45316: CSPT2CSRF with a POST sink in Mattermost : /<team>/channels/channelname?telem_action=under_control&forceRHSOpen&telem_run_id=../../../../../../api/v4/caches/invalidate
  • CVE-2023-6458: CSPT2CSRF with a GET sink in Mattermost
  • Client Side Path Manipulation - erasec.be: CSPT2CSRF https://example.com/signup/invite?email=foo%40bar.com&inviteCode=123456789/../../../cards/123e4567-e89b-42d3-a456-556642440000/cancel?a=

References