Fetch Metadata

ID Attribute

October 1, 2020
Abuse onblur, focus, iframes
Category Attack
Defenses Fetch Metadata, SameSite Cookies, Framing Protections

The id attribute is widely used to identify HTML elements. Unfortunately, cross-origin websites can determine whether a given id is set anywhere on a page by leveraging the focus event and URL fragments. If https://example.com/foo#bar is loaded, the browser attempts to scroll to the element with id="bar". This can be detected cross-origin by loading https://example.com/foo#bar in an iframe; if there is an element with id="bar", the focus event fires. The blur event can also be used for the same purpose 1. ...

Connection Pool

October 1, 2020
Abuse Connection Pool, Browser Limits
Category Attack
Defenses Fetch Metadata, SameSite Cookies

Another way to measure the network timing of a request consists of abusing the socket pool of a browser 1. Browsers use sockets to communicate with servers. As the operating system and the hardware it runs on have limited resources, browsers have to impose a limit. To exploit the existence of this limit, attackers can: Check what the limit of the browser is, for example 256 global sockets. Block \(255\) sockets for a long period of time by performing \(255\) requests to different hosts that simply hang the connection Use the \(256^{th}\) socket by performing a request to the target page. ...