Cross-site leaks

Cross-site leaks, also known as XS-Leaks, are a class of web security vulnerabilities.[1] These classes of vulnerabilities allow an attacker to gain access to sensitive information about a user's browsing session while using other websites.[2] This is done by leveraging side channels inherent to the design of the web platform, such as the use of the :visited CSS attribute or by the use of cache timing to reveal information about a user's previous browsing habits.[3][4][5]

Background

For a web application, or web app, there are two major components: a web browser and multiple web servers. The web browser interacts with the web servers via the HTTP protocol and or socket connections to render a web application. Certain parts of the web application need to react to user input and or other client-side logic; this is done by executing HTML, CSS or Javascript as part of the rendering process. These can be run inside the browser tab or special embedded frames inside other web applications.[6]

The execution context of these frames is defined using the same-origin policy via the concepts of web origins. A specific web application cannot reach into a different web app's execution context and arbitrarily gain information about the execution state of the other web application. However, a web application can embed content from other web apps using frames or requests to third-party sites via cross-origin requests.[7]

Often, while interacting with a web app in a specific context, a user will be in a set of well-defined states. For example, while browsing a specific website, a user might choose to log in, leading to them being in a 'logged in' state. These states are often synced between the web server and the web browser via the HTTP or socket protocol.[3]

Mechanism

Cross-site leaks allow attackers to break the cross-origin barrier inherent in web application contexts. By leveraging side channels, an attacker origin can execute code to gain information about the state in a different execution context via cross-origin requests or by embedding the victim origin in the attacking web application.[3]

To perform this attack, the attacker must identify a state-dependent URL in the victim application, i.e. a URL that provides different responses depending on the victim application's state. In addition, the attacker must identify a side channel, i.e. a pair of inclusion methods and observable characteristics that reveal information about the state-dependent URL. By calling the state-dependent URL from a cross-origin context using the inclusion method and subsequently querying the observable characteristics, an attacker can gain insight into the victim application's state.[4]

See also

References
  1. "XS Leaks - OWASP Cheat Sheet Series". cheatsheetseries.owasp.org. Retrieved 2023-08-31.
  2. Goethem, Tom Van; Franken, Gertjan; Sanchez-Rola, Iskander; Dworken, David; Joosen, Wouter (September 6, 2021). Understanding Cross-site Leaks and Defenses (PDF). 2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P), SecWeb Workshop Proceedings. p. 1.
  3. Knittel, Lukas; Mainka, Christian; Niemietz, Marcus; Noß, Dominik Trevor; Schwenk, Jörg (2021-11-12). "XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers". Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. ACM. pp. 1771–1788. doi:10.1145/3460120.3484739. ISBN 978-1-4503-8454-4. S2CID 244077807.
  4. Rautenstrauch, Jannis; Pellegrino, Giancarlo; Stock, Ben (2023-05-21). "The Leaky Web: Automated Discovery of Cross-Site Information Leaks in Browsers and the Web". 2023 IEEE Symposium on Security and Privacy (SP). pp. 2744–2760. doi:10.1109/SP46215.2023.10179311. ISBN 978-1-6654-9336-9. S2CID 259321089.
  5. Van Goethem, Tom; Franken, Gertjan; Sanchez-Rola, Iskander; Dworken, David; Joosen, Wouter (2022-05-30). "SoK: Exploring Current and Future Research Directions on XS-Leaks through an Extended Formal Model". Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security. ACM. pp. 784–798. doi:10.1145/3488932.3517416. ISBN 978-1-4503-9140-5. S2CID 248990284.
  6. "How the web works - Learn web development | MDN". developer.mozilla.org. 2023-07-24. Retrieved 2023-10-01.
  7. "What is CORS? - Cross-Origin Resource Sharing Explained - AWS". Amazon Web Services, Inc. Retrieved 2023-10-01.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.