Full Report
Client-side path traversal (CSPT) is a classic path traversal but on the client-side. In particular, it's about tricking how an API works to make requests to the incorrect API. This can be used to get XSS with the wrong content type and several other issues. This paired with open redirects can be useful as well. On this private in-person competition, the author noticed an API vulnerable to CSPT. This API was used for signing an S3 bucket path on the backend, where the filename was the controlled parameter that was part of the URL. By URL encoding the path, we get /categories/..%2Fredirect%3Furl%3Dmalicious.com that will result in /categories/../redirect. Neat! By itself, this isn't very helpful, though. A friend of the authors noticed that using ?redirect=true on the API would result in a 301 redirect. This returns the file URL instead of the raw contents of the file. This means that we may be able to get XSS from it! Initially, they ran into some CORS issues. Since CloudFront was used for caching, it was caching the initial download of the file without the CORS header. When trying to access the file from the page, it would then fail with a CORS violation. By ONLY using the redirect route instead of the regular file download, this issue can be avoided. Sometimes, debugging web things is complicated and annoying. This XSS is a self-XSS because the store is bound to another account or only during the buying process. The application was vulnerable to a login/logout CSRF as well, giving them another primitive to work with. The final piece of the puzzle surrounds cookies. Cookies are scoped to a particular path, and there is a limit to the number of cookies that are allowed to be there. Both of these are important for exploitation. There's the full exploit path: Add the malicious cart item with the self-XSS to a dummy account. Convince a user to click on your web page. Using this site, a logout/login CSRF will happen to log them into the attackers dummy account. Self-XSS is triggered on the dummy account. This will cookie bomb (hit cookie limit) the current session, then add our own cookie at the proper path for the CSPT. The server will force logout the user because of the cookie bomb. Original XSS opens the login page to prompt the user to login again. This is the trick - there are two logged in users now! The actual user and the dummy user at the particular path. Logged in user is redirected to the CSPT vulnerable path for the second XSS payload. The second XSS payload will call any of the state changing APIs they want with the main users creds. The usage of scoped cookies to have two session cookies be valid is super clever! It's crazy how much effort was required to exploit this. Client-side security is baffling to me.
Analysis Summary
# Tool/Technique: Client-Side Path Traversal (CSPT)
## Overview
Client-Side Path Traversal (CSPT) is a variant of the classic path traversal vulnerability where the control over requested paths occurs on the client-side, often by manipulating parameters used in client-side API calls. The goal is to trick the client application into requesting resources from an unintended location on the server or a different domain, which can then lead to further exploitation like Cross-Site Scripting (XSS) or arbitrary redirects.
## Technical Details
- Type: Technique
- Platform: Web Applications (Client-Side JavaScript/APIs)
- Capabilities: Allows an attacker to influence the URL path/resource requested by the victim's browser during an API call initiated by client-side code (e.g., JavaScript fetch/XHR).
- First Seen: Not specified, but described as a "classic" vulnerability.
## MITRE ATT&CK Mapping
- T1587 - Develop Capabilities
- T1587.001 - Develop Infrastructure: While not directly an infrastructure development, the technique involves leveraging existing client-side code to access external/unintended resources.
- T1566 - Phishing
- T1566.002 - Spearphishing Link: The successful execution relies on tricking a user into clicking a crafted link.
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols: Exploitation relies on manipulating HTTP/HTTPS requests generated by the client application.
## Functionality
### Core Capabilities
- **Path Manipulation:** Modifying controlled parameters within a URL destined for a client-side API fetch request (e.g., `/categories/[controlled_param]`).
- **Directory Traversal:** Using sequences like `..%2F` (URL encoded `../`) to move up directory structures within the target API endpoint path (e.g., transforming a call to `/api/v2/categories/[file].json` to target a different file entirely by traversing back).
- **Resource Fetching:** Causing the victim's browser to fetch arbitrary JSON files or other served resources from the application's backend by controlling the requested path.
### Advanced Features
- **Chaining with Redirects:** When paired with an open redirect vulnerability, CSPT can redirect the victim's browser to an entirely external, attacker-controlled endpoint (`malicious.com`), enabling the serving of attacker-controlled content (e.g., a malicious JSON file designed to trigger XSS).
- **Bypassing Security Controls:** Successful use of the redirect route instead of the standard file download route helped bypass Cross-Origin Resource Sharing (CORS) security headers applied by caching layers like CloudFront.
- **Enabling Complex Chains:** Served as the initial primitive to enable a multi-step exploitation chain involving Self-XSS, Login/Logout CSRF, and Cookie Bombing to achieve a full Account Takeover.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A. Relies on manipulating existing API endpoints (e.g., `/api/v2/[filename].json`).
- Registry Keys: N/A
- Network Indicators: Crafting URLs containing traversal sequences targeting vulnerable endpoints, potentially redirecting traffic to external domains (e.g., `malicious.com` in the context, though the final redirection target is attacker-controlled).
- Behavioral Indicators: Client-side JavaScript making anomalous HTTP requests to paths outside of expected application structure, especially those utilizing encoded path traversal sequences.
## Associated Threat Actors
This technique was described in the context of a bug bounty exploit chain conducted by independent security researchers.
## Detection Methods
- Log monitoring for unusual sequences in request paths corresponding to client-side API calls.
- Static/Dynamic Application Security Testing (SAST/DAST) to check client-side code for improper reflection of URL parameters into fetch/XHR requests (`innerHTML` usage of fetched content is a major red flag).
- Identifying API endpoints that dynamically construct resource paths based on user-controlled URL inputs.
## Mitigation Strategies
- **Input Validation:** Strictly validate or sanitize all user-controlled parameters used in constructing internal API request paths on the client-side before initiating the request.
- **Use Safe APIs:** Where possible, use APIs that fetch data based on explicit resource identifiers rather than allowing arbitrary paths constructed from URL path segments.
- **Origin Binding:** Ensure that client-side code fetching sensitive resources is strictly bound to expected endpoints and resource types.
- **Strict Content Security Policy (CSP):** Implement robust CSP headers to limit where scripts can be loaded from and executed, mitigating potential XSS results from successful traversals.
## Related Tools/Techniques
- Path Traversal (Directory Traversal - Server-Side)
- Cross-Site Scripting (XSS)
- Open Redirect
- Login/Logout CSRF
- Cookie Bombing
---
# Tool/Technique: Login/Logout CSRF
## Overview
A Cross-Site Request Forgery (CSRF) variant targeting user session state changes via login or logout actions. In this context, it was used specifically to force a logged-in user's browser to log into an attacker-controlled "dummy account."
## Technical Details
- Type: Technique
- Platform: Web Applications (Authentication/Session Management)
- Capabilities: Forced state change of the victim's session (e.g., switching the active authenticated account).
- First Seen: Classic web vulnerability dating back to the early 2000s.
## MITRE ATT&CK Mapping
- T1557 - Multi-Staged Attack
- T1557.001 - Supply Chain Compromise: While not supply chain, it's a multi-staged primitive used in a complex chain. (Closest fit is session manipulation).
- T1558 - Steal or Forge Authentication Credentials
- T1558.003 - Session Hijacking: Manipulating session state to log into an unintended account serves a similar goal of hijacking active session context.
## Functionality
### Core Capabilities
- **Forced Authentication:** Leveraging a vulnerability where a victim's browser can be tricked into sending a request that executes a login or logout action on the server, potentially authenticating the victim to a different (attacker-controlled) account.
- **Session State Switching:** Used here to log the legitimate user out of their session and simultaneously log them into the attacker's owned session/dummy account, often through sequential requests.
### Advanced Features
- **Chaining with Self-XSS:** Used to execute malicious JavaScript (from the Self-XSS primitive) once the victim is logged into the attacker's dummy account, which initiates cookie manipulation.
## Indicators of Compromise
- Behavioral Indicators: A user session unexpectedly terminating or changing associated user IDs in logs without the user initiating a standard logout action.
- Network Indicators: HTTP requests originating from a victim's session directed at standard login/logout endpoints, especially when triggered by an unrelated external page link.
## Associated Threat Actors
Used widely across web application exploitation, common in bug bounty hunting contexts.
## Detection Methods
- Implementation of anti-CSRF tokens on all state-changing endpoints (login/logout).
- Verifying the origin of session-changing requests (e.g., requiring same-origin checks or checking for expected referrer headers).
## Mitigation Strategies
- Implement strong, unique, session-specific Anti-CSRF tokens for all state-changing actions (like login/logout).
- Use SameSite cookie attributes set to **Strict** or **Lax** to prevent cookies from being sent on same-origin navigation links if the initial entry point was external.
## Related Tools/Techniques
- Cross-Site Request Forgery (CSRF)
- Session Hijacking
- Account Takeover (ATO)
---
# Tool/Technique: Self-XSS
## Overview
A Cross-Site Scripting vulnerability where the payload can only be injected directly by the user into a location on the page accessible only to that user’s context (e.g., a developer console input or a specific client-side data binding point tied only to that session). For exploitation, it requires chaining with another technique to get the payload executed in a different context.
## Technical Details
- Type: Technique
- Platform: Web Applications (Client-Side Rendering)
- Capabilities: Allows injection of arbitrary JavaScript that executes within the context of the current user session, typically used here to perform cookie manipulation.
- First Seen: Classic XSS variant, often seen in applications where unsanitized data is bound to `innerHTML`.
## MITRE ATT&CK Mapping
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell: In the browser context, this maps to client-side scripting execution.
- T1189 - Drive-by Compromise: While typically drive-by refers to automatic exploitation, here it's triggered by user interaction (clicking the link) leading to execution.
## Functionality
### Core Capabilities
- **Payload Execution:** Running attacker-controlled script within the victim's browser session context when viewing the vulnerable page/item.
- **Session-Bound Execution:** The injection is tied specifically to the account where the malicious item was first added (the "dummy account" in this exploit).
### Advanced Features
- **Cookie Manipulation:** The primary goal of triggering this Self-XSS was to execute script that manipulates cookies: specifically, "cookie bombing" (hitting the allowed cookie limit) and setting a specific, malicious cookie scoped to the CSPT path.
## Indicators of Compromise
- Behavioral Indicators: Unusual client-side API calls or DOM manipulation occurring immediately after a user interacts with a specific feature (like viewing a cart).
- Specific Payloads: Scripts designed not for immediate data theft but for cookie management operations.
## Associated Threat Actors
Common in bug bounty reports; often exploited when developers fail to impose sufficient sanitization, especially in profile/cart rendering.
## Detection Methods
- Strict Content Security Policy (CSP) blocking inline scripts or scripts from untrusted sources.
- SAST/DAST focusing on sinks like `innerHTML` where user-controllable input is reflected.
## Mitigation Strategies
- **Avoid `innerHTML`:** Use safer DOM insertion methods like `textContent` or DOM manipulation APIs that do not parse HTML strings.
- **Proper Input Sanitization:** Ensure all user-supplied data reflected in the client-side view is rigorously sanitized to remove HTML tags and event handlers, even if the vulnerability is classified as Self-XSS initially.
## Related Tools/Techniques
- Cross-Site Scripting (XSS)
- Cookie Theft/Manipulation
- Path Traversal (used to exploit subsequently)
---
# Tool/Technique: Cookie Bombing / Scoped Cookie Placement
## Overview
This refers to two related concepts used simultaneously to achieve session control:
1. **Cookie Bombing:** Intentionally exceeding the client's limit for the number of cookies that can be stored for a domain, forcing the browser to delete older or less significant cookies.
2. **Scoped Cookie Placement:** Setting a new, persistent cookie scoped specifically to a certain path (`/`) to survive the cookie bombing and maintain persistence across sessions/path changes until enforcement of CSPT primitive.
## Technical Details
- Type: Technique
- Platform: Browser/Client-Side interaction, utilizing HTTP cookie specification features.
- Capabilities: A denial-of-service technique against session persistence in order to make space for a more critical session artifact (the attacker's desired cookie).
- First Seen: Classic browser security primitive exploitation.
## MITRE ATT&CK Mapping
- T1554 - Compromise Software Supply Chain (Related to tampering with local system configurations like browser storage)
- T1003 - OS Credential Dumping (By manipulating authentication tokens/cookies)
## Functionality
### Core Capabilities
- **Cookie Limit Trashing:** Triggering the browser to forcefully evict existing session cookies by setting many insignificant cookies (Cookie Bombing).
- **Persistence Setting:** Immediately planting two critical cookies: one that forces a logout (due to session expiration/conflict) and another cookie scoped to a specific path that ensures authentication in the subsequent login step.
### Advanced Features
- **Dual Session Persistence:** The final successful step relies on the highly clever ability of the server to honor *two* valid session cookies concurrently for two different users (the victim and the dummy account), differentiated by the path they are scoped to, allowing the final XSS payload to run under the victim's main user credentials.
## Indicators of Compromise
- Network Indicators: An unusually large number of `Set-Cookie` headers being exchanged during the session.
- Behavioral Indicators: User session abruptly ending or requiring re-authentication immediately following interaction with a specific page.
## Associated Threat Actors
Technique seen as advanced exploitation methodology in high-value bug bounty hunting.
## Detection Methods
- Monitoring client-side storage for unusual accumulation or rapid deletion of cookies.
- Server-side checks that enforce strict controls on session cookie creation and expiration mechanisms.
## Mitigation Strategies
- **Cookie Management Limits:** Applications should not rely solely on browser-enforced cookie limits as a security boundary; session limits should be server-enforced.
- **Secure Session Handling:** Implement mechanisms to invalidate all previous sessions upon critical changes or suspicious activity.
- **Strict Path Scoping:** Ensuring that path attributes on session cookies are correctly defined to limit potential unauthorized persistence across different application segments.
## Related Tools/Techniques
- Session Fixation
- Cookie Theft
- Denial of Service (DoS)