Two vulnerable websites which were found to be vulnerable to CRLF injection, caused Google Chrome to behave differently. This trigged an exciting research journey ending in finding weaknesses in reverse proxies, Chrome and other browsers as well as a new hacking technique named Frontend server hijacking or Frontjacking in short. Frontjacking combines CRLF injection, poorly configured servers and shared hosting, enables attackers to execute any reflected XSS and phishing related payloads while bypassing any defensive mechanisms including CSP (Content Security Policy), HttpOnly cookie attributes, WAFs (Web Application Firewalls), CORS (Cross Origin Resource Sharing) and HTTPS certificate validation.

Designed for private and public sector infosec professionals, the two-day OWASP conference equips developers, defenders, and advocates to build a more secure web. We are offering educational 2-day training courses on February 13-14 followed by the conference and exhibition days February 15-16.

Down the Rabbit Hole: A journey towards a weakness in Chrome & a new hacking technique

Conference: Global AppSec Dublin 2023

Authors: Gil Cohen, Omri Inbar

Abstract

Post a comment

Related work