Cross-Site Request Amplification Attack
There is an specific un-acknowleged scenario most companies reject when an attacker controls reports a request forgery. Here I share a novel approach on
Introduction
Cross-Site Request Amplification (CSRA/XSRA) is a Web Vulnerability where an attacker is able to exploit HTTP requests controls to magnify the amount of bandwidth a target may receive during a Denial of Service. As an example, If an attacker is sending out 100Mbps of traffic directly to a target, during an amplification attack, the attacker is able to make the target server receive 100Mbps X times. This is possible because the attacker does not send the traffic directly to the target, instead he sends the traffic to an “amplificator” Client which then sends amplified traffic to the target.
Cross-Site Request Amplification Definition
Cross-Site Request Aplification (CSRA/XSRA) is a type of Denial of Service technique where an attacker can exploit a controlled response recieved by a vulnerable HTTP client, to send a significant amount of unauthorized requests to an attacker-defined target.
There are two identified groups of sutechniques that can be used to exploit Cross-Site Request Amplification:
Technique: Server-Side Request Amplifications
- Possible Trigger: SSRF, XXE, HRS, etc.
- Vulnerable Assets: Headless Browsers, Request Libraries, URL Clients, among others.
Technique: Client-Site Request Amplification
- Possible Triggers: CSRF, ClickJacking, XS-Leaks, etc.
- Vulnerable Assets: Web Browsers, HTTP Clients, Email Clients, WebViews, among others.
A XSRA is a vulnerability that will be found based on this definition:
- Requires the HTTP CLIENT to process an attacker-controlled URL
- Requires the HTTP CLIENT to process an attacker-controlled response
- Is able to amplify requests based on response
- Can be exploited Client-Side or Server-Side
The key exploitation part of a XSRA is in the controlled response, where the attacker will inject a Header which will make the HTTP client do unauthorized actions.
High confidence XSRA vulnerable HTTP Client, should fullfill the following characteristics:
- The attacker must control at least one (1) URL requested by the tested HTTP Client.
- The tested HTTP Client must send a request to the attacker-controlled URL.
- The request from the tested HTTP Client should resolve DNS.
- The attacker must amplify the number of requests made by the HTTP Client with a single HTTP Response.
Having all this combined it should be possible to use a legitimate infrastructure, to amplify HTTP Requests and use them to run high power Reflected Denial of Service (DoS) attacks.