Attack

XS-Search

October 1, 2020
Category Attack, Attack Principle
Defenses Fetch Metadata, SameSite Cookies

Cross-site search (XS-Search) is an important attack principle in the family of XS-Leaks. This type of attack abuses Query-Based Search Systems to leak user information from an attacker origin 1 2. The original attack uses timing measurements to detect whether or not a search system returns results and works as follows: Establish a baseline of the time needed for a request to return results (hit), and a baseline for the time needed by a request with no results (miss). ...

Window References

October 8, 2020
Abuse Window References
Category Attack
Defenses Fetch Metadata, SameSite Cookies, COOP

If a page sets its opener property to null or is using COOP protection depending on the users’ state, it becomes possible to infer cross-site information about that state. For example, attackers can detect whether a user is logged in by opening an endpoint in an iframe (or a new window) which only authenticated users have access to, simply by checking its window reference. Run demo Code Snippet # The below snippet demonstrates how to detect whether the opener property was set to null, or whether the COOP header is present with a value other than unsafe-none. ...

CORB Leaks

October 1, 2020
Abuse Browser Feature, Error Events, Content-Type, nosniff
Category Attack
Defenses Fetch Metadata, SameSite Cookies

Cross-Origin Read Blocking (CORB) is a web platform security feature aimed at reducing the impact of speculative side-channel attacks such as Spectre. Unfortunately, blocking certain types of requests introduced a new type of XS-Leaks 1 that allows attackers to detect if CORB was enforced on one request, but wasn’t on another. Nevertheless, the introduced XS-Leaks are much less problematic than the issues actively protected by CORB (e.g. Spectre). info This is a known issue in Chromium, and while it might remain unfixed, its impact is greatly reduced by the rollout of SameSite Cookies by default in Chromium-based browsers. ...

CORP Leaks

October 1, 2020
Abuse Browser Feature
Category Attack
Defenses Fetch Metadata, SameSite Cookies

Explanation # Cross-Origin Resource Policy (CORP) is a web platform security feature that allows websites to prevent certain resources from being loaded by other origins. This protection complements CORB since it is an opt-in defense, whereas CORB blocks some cross-origin reads by default. Unfortunately, similar to CORB, applications can introduce a new XS-Leak if they misconfigure the use of this protection. A webpage will introduce an XS-Leak if CORP is enforced based on user data. ...

CSS Tricks

October 1, 2020
Abuse CSS
Category Attack
Defenses Framing Protections

CSS Tricks # CSS can be used to trick a user into exposing information such as embedded pixel values by making visual changes that are affected by the embed. Retrieving user’s history # Using the CSS :visited selector, it’s possible to apply a different style for URLs that have been visited. Previously it was possible to use getComputedStyle() to detect this difference, but now browsers prevent this by always returing values as if the link was visted and limiting what styles can be applyed using the selector. ...

Error Events

October 1, 2020
Abuse Error Events, Status Code, nosniff, Content-Type
Category Attack
Defenses Fetch Metadata, SameSite Cookies

When a webpage issues a request to a server (e.g. fetch, HTML tags), the server receives and processes this request. When received, the server decides whether the request should succeed (e.g. 200) or fail (e.g. 404) based on the provided context. When a response has an error status, an error event is fired by the browser for the page to handle. These errors also cover situations where the parser fails, for example when trying to embed HTML content as an image. ...

Frame Counting

October 1, 2020
Abuse iframes
Category Attack
Defenses Fetch Metadata, SameSite Cookies, COOP, Framing Protections

Window references allow cross-origin pages to get access to some of the attributes of other pages. These references become available when using or allowing iframe and window.open. The references provide (limited) information about the window as they still respect the same-origin policy. One of the accessible attributes is window.length which provides the number of frames in the window. This attribute can provide valuable information about a page to an attacker. ...

Navigations

October 1, 2020
Abuse Downloads, History, CSP Violations, Redirects, window.open, window.stop, iframes
Category Attack
Defenses Fetch Metadata, SameSite Cookies, COOP, Framing Protections

Detecting if a cross-site page triggered a navigation (or didn’t) can be useful to an attacker. For example, a website may trigger a navigation in a certain endpoint depending on the status of the user. To detect if any kind of navigation occurred, an attacker can: Use an iframe and count the number of times the onload event is triggered. Check the value of history.length, which is accessible through any window reference. ...

Network Timing

October 1, 2020
Abuse iframes
Category Attack
Defenses Fetch Metadata, SameSite Cookies, COOP, Framing Protections

Network Timing side-channels have been present on the web since its inception 1 2. These attacks have had different levels of impact over time, gaining new attention when browsers started shipping high-precision timers like performance.now(). To obtain timing measurements, attackers must use a clock, either an implicit or an explicit one. These clocks are usually interchangeable for the purposes of XS-Leaks and only vary in accuracy and availability. For simplicity, this article assumes the use of the performance. ...

Performance API

October 1, 2020
Abuse window.performance
Category Attack
Defenses SameSite Cookies, CORB

Performance API # The Performance API provides access to performance-related information enhanced by the data from the Resource Timing API which provides the timings of network requests such as the duration but when there’s a Timing-Allow-Origin: * header sent by the server the transfer size and domain lookup time is also provided. This data can be accessed by using performance.getEntries or performance.getEntriesByName It can also be used to get the execution time using the difference of performance. ...