SameSite Cookies

Element leaks

Abuse HTMLElement
Category Attack
Defenses SameSite Cookies

Some HTML Elements might be used to leak a portion of data to a cross-origin page. For example, the below media resources can leak information about its size, duration, type. HTMLMediaElement leaks the media duration and the buffered times. HTMLVideoElement leaks the videoHeight and videoWidth some browsers may also have webkitVideoDecodedByteCount, webkitAudioDecodedByteCount and webkitDecodedFrameCount getVideoPlaybackQuality() leaks the totalVideoFrames. HTMLImageElement leaks the height and width but if the image is invalid they will be 0 and image. ...

Execution Timing

October 1, 2020
Abuse Event Loop, Service Workers, Site Isolation, CSS Injections, Regex Injections, iframes
Category Attack
Defenses Fetch Metadata, SameSite Cookies, COOP, Framing Protections

Measuring the time of JavaScript execution in a browser can give attackers information on when certain events are triggered, and how long some operations take. Timing the Event Loop # JavaScript’s concurrency model is based on a single-threaded event loop which means it can only run one task at a time. If, for example, some time-consuming task blocks the event loop, the user can perceive a freeze on a page as a result of the UI thread being starved. ...

Hybrid Timing

October 1, 2020
Abuse iframes
Category Attack
Defenses Fetch Metadata, SameSite Cookies, COOP

Hybrid Timing Attacks allow attackers to measure the sum of a group of factors that influence the final timing measurement. These factors include: Network delays Document parsing Retrieval and processing of subresources Code execution Some of the factors differ in value depending on the application. This means that Network Timing might be more significant for pages with more backend processing, while Execution Timing can be more significant in applications processing and displaying data within the browser. ...

ID Attribute

October 1, 2020
Abuse onblur, focus, iframes
Category Attack
Defenses Fetch Metadata, SameSite Cookies, Framing Protections

The id attribute is widely used to identify HTML elements. Unfortunately, cross-origin websites can determine whether a given id is set anywhere on a page by leveraging the focus event and URL fragments. If https://example.com/foo#bar is loaded, the browser attempts to scroll to the element with id="bar". This can be detected cross-origin by loading https://example.com/foo#bar in an iframe; if there is an element with id="bar", the focus event fires. The blur event can also be used for the same purpose 1. ...

Connection Pool

October 1, 2020
Abuse Connection Pool, Browser Limits
Category Attack
Defenses Fetch Metadata, SameSite Cookies

Another way to measure the network timing of a request consists of abusing the socket pool of a browser 1. Browsers use sockets to communicate with servers. As the operating system and the hardware it runs on have limited resources, browsers have to impose a limit. To exploit the existence of this limit, attackers can: Check what the limit of the browser is, for example 256 global sockets. Block \(255\) sockets for a long period of time by performing \(255\) requests to different hosts that simply hang the connection Use the \(256^{th}\) socket by performing a request to the target page. ...