Cross-Protocol Request Forgery

Server-Side Request Forgery (SSRF) and Cross-Site Request Forgery (CSRF) are two attack
methods that enable attackers to cross network boundaries in order to attack applications,
but can only target applications that speak HTTP. Custom TCP protocols are everywhere:
IoT devices, smartphones, databases, development software, internal web applications, and
more. Often, these applications assume that no security is necessary because they are only
accessible over the local network. This paper aims to be a definitive overview of attacks
that allow cross-protocol exploitation of non-HTTP listeners using CSRF and SSRF, and also
expands on the state of the art in these types of attacks to target length-specified protocols
that were not previously thought to be exploitable.


Published date:  10 April 2018

Filter By Service

Filter By Type