Detect Client-Side Path Traversal

October 25, 2024 · 2 min read

Contextal Platform Creators

A Client-Side Path Traversal (CSPT) attack, also known as "On-Site Request Forgery" is a vulnerability, which can be used for CSRF or XSS attacks.

CSPT exploits the client-side code’s ability to make requests (e.g., using fetch) by injecting ../ sequences into URLs. When these paths are normalized, the request can be redirected to unintended URLs or directories, potentially exposing sensitive data or leading to security breaches, as the request could use victim's cookies or login data.

Our example scenario looks for potentially malicious URLs inside Office, ODF, HTML, PDF and Text objects.

info

Click on the download button below to get the scenario and then upload it using Contextal Console or the ctx command line tool (when using the latter, don't forget to reload remote scenarios after adding a new one!)

Client-Side-Path-Traversal.json
{
  "name": "Client-Side Path Traversal",
  "min_ver": 1,
  "max_ver": null,
  "creator": "Contextal",
  "description": "Alert on possible Client-Side Path Traversal attack.",
  "local_query": "(\n  (object_type == \"Office\" || object_type == \"ODF\") && \n  @match_object_meta($hyperlinks iregex(\"\\\\?.*[=/](\\\\.|%2e){2}/\"))\n) || (\n  object_type == \"HTML\" &&\n  @match_object_meta($href iregex(\"\\\\?.*[=/](\\\\.|%2e){2}/\"))\n) || (\n  (object_type == \"PDF\" || object_type == \"Text\") \n  && \n  @match_object_meta($uris iregex(\"\\\\?.*[=/](\\\\.|%2e){2}/\"))\n)",
  "context": null,
  "action": "ALERT"
}