October 1, 2020
Window references allow cross-origin pages to get access to some of the attributes of other pages. These references become available when using or allowing iframe and window.open. The references provide (limited) information about the window as they still respect the same-origin policy.
One of the accessible attributes is window.length which provides the number of frames in the window. This attribute can provide valuable information about a page to an attacker.
...October 1, 2020
Detecting if a cross-site page triggered a navigation (or didn’t) can be useful to an attacker. For example, a website may trigger a navigation in a certain endpoint depending on the status of the user.
To detect if any kind of navigation occurred, an attacker can:
- Use an
iframe and count the number of times the onload event is triggered. - Check the value of
history.length, which is accessible through any window reference. This provides the number of entries in the history of a victim that were either changed by history.pushState or by regular navigations. To get the value of history.length, an attacker changes the location of the window reference to the target website, then changes back to same-origin, and finally reads the value. Run demo
Download Trigger
#
When an endpoint sets the Content-Disposition: attachment header, it instructs the browser to download the response as an attachment instead of navigating to it. Detecting if this behavior occurred might allow attackers to leak private information if the outcome depends on the state of the victim’s account.
...October 1, 2020
Network Timing side-channels have been present on the web since its inception . These attacks have had different levels of impact over time, gaining new attention when browsers started shipping high-precision timers like performance.now().
To obtain timing measurements, attackers must use a clock, either an implicit or an explicit one. These clocks are usually interchangeable for the purposes of XS-Leaks and only vary in accuracy and availability. For simplicity, this article assumes the use of the performance.now() API, an explicit clock present in all modern browsers.
...The principle of Cache Probing consists of detecting whether a resource was cached by the browser. The concept has been known since the beginning of the web and initially relied on detecting timing differences.
When a user visits a website, some resources such as images, scripts, and HTML content are fetched and later cached by the browser (under certain conditions). This optimization makes future navigations faster as the browser serves those resources from disk instead of requesting them again. If an attacker can detect which resources are cached, this information can be enough to leak whether a user accessed a specific page in the past.
...October 1, 2020
Measuring the time of JavaScript execution in a browser can give attackers information on when certain events are triggered, and how long some operations take.
Timing the Event Loop
#
JavaScript’s concurrency model is based on a single-threaded event loop which means it can only run one task at a time. If, for example, some time-consuming task blocks the event loop, the user can perceive a freeze on a page as a result of the UI thread being starved. Other tasks must wait until the blocking task finishes. Each browser implements different process models, which means some web sites might run in different threads (and event loops) depending on their relations.
...October 1, 2020
Hybrid Timing Attacks allow attackers to measure the sum of a group of factors that influence the final timing measurement. These factors include:
Some of the factors differ in value depending on the application. This means that Network Timing might be more significant for pages with more backend processing, while Execution Timing can be more significant in applications processing and displaying data within the browser. Attackers can also eliminate some of these factors to obtain more precise measurements. For example, an attacker could preload all of the subresources by embedding the page as an iframe (forcing the browser to cache the subresources) and then perform a second measurement, which excludes any delay introduced by the retrieval of those subresources.
...October 1, 2020
The id attribute is widely used to identify HTML elements. Unfortunately, cross-origin websites can determine whether a given id is set anywhere on a page by leveraging the focus event and URL fragments. If https://example.com/foo#bar is loaded, the browser attempts to scroll to the element with id="bar". This can be detected cross-origin by loading https://example.com/foo#bar in an iframe; if there is an element with id="bar", the focus event fires. The blur event can also be used for the same purpose .
...October 1, 2020
Leaking the Content-Type of a request would provide attackers with a new way of distinguishing two requests from each other.
typeMustMatch
#
typeMustMatch is a Boolean that reflects the typeMustMatch attribute of the object element. It ensures that a certain MIME type must be enforced when loading an object, by verifying if the Content-Type of the resource is the same as the one provided in the object. Unfortunately, this enforcement also allowed attackers to leak the Content-Type and Status Codes returned by a website .
...October 1, 2020
Scroll to Text Fragment (STTF) is a new web platform feature that allows users to create a link to any part of a web page text. The fragment #:~:text= carries a text snippet that is highlighted and brought into the viewport by the browser. This feature can introduce a new XS-Leak if attackers are able to detect when this behavior occurs. This issue is very similar to the Scroll to CSS Selector XS-Leak.
...