Attack Principle

XS-Search

October 1, 2020
Category Attack, Attack Principle
Defenses Fetch Metadata, SameSite Cookies

Cross-site search (XS-Search) is an important attack principle in the family of XS-Leaks. This type of attack abuses Query-Based Search Systems to leak user information from an attacker origin 1 2. The original attack uses timing measurements to detect whether or not a search system returns results and works as follows: Establish a baseline of the time needed for a request to return results (hit), and a baseline for the time needed by a request with no results (miss). ...