Content deleted Content added
Sohom Datta (talk | contribs) →Defences: ce to make background more readable |
m Punctuation and spacing wrt refs |
||
(18 intermediate revisions by 4 users not shown) | |||
Line 10:
Cross-site leaks are a diverse form of attack, and there is no consistent classification of such attacks. Multiple sources classify cross-site leaks by the technique used to leak information. Among the well-known cross-site leaks are timing attacks, which depend on timing events within the web browser. Error events constitute another category, using the presence or absence of events to disclose data. Additionally, [[Cache timing attack|cache-timing attacks]] rely on the web cache to unveil information. Since 2023, newer attacks that use operating systems and web browser limits to leak information have also been found.
Before 2017, defending against cross-site leaks was considered to be difficult. This was because many of the information leakage issues exploited by cross-site leak attacks were inherent to the way websites worked. Most defences against this class of attacks have been introduced after 2017 in the form of extensions to the [[HTTP|hypertext transfer protocol]] (HTTP). These extensions allow websites to instruct the browser to disallow or annotate certain kinds of [[State (computer science)|stateful]] requests coming from other websites. One of the most successful approaches browsers have implemented is [[SameSite cookie|SameSite]] cookies. SameSite cookies allow websites to set a directive that prevents other websites from accessing and sending sensitive cookies. Another
== Background ==
{{Further information|Same-origin policy|Cross-origin resource sharing}}
[[Web application|Web applications]] (web apps) have two primary components: a web browser and one or more [[Web server|web servers]]. The browser typically interacts with the servers via [[HTTP|hyper text transfer protocol]] (HTTP) and [[WebSocket]] connections to deliver a web
Cross-site leaks allow attackers to
== Mechanism ==
Line 26:
Cross-site leak attacks part-2-phish.svg|An attacker identifies a vulnerable [[URL]] and [[Phishing|phishes]] the user to their website using an email. When the user goes to the attacker's website, the attacker can make malicious requests to the web server using the vulnerable URL.
Cross-site leak attacks part-3-exfil.svg|The attacker is prevented from reading the web server's response. However, other factors like the response time or size can be measured by the attacker, leaking information about the response – a [[side-channel attack]].
</gallery>To carry out a cross-site leak attack, an attacker must first study how a website interacts with users. They need to identify a specific [[URL]] that produces different [[HTTP|Hyper Text Transfer Protocol]] (HTTP) responses based on the user's past actions on the site.{{sfn|Rautenstrauch|Pellegrino|Stock|2023|p=2747}}{{sfn|Van Goethem|Franken|Sanchez-Rola|Dworken|2022|p=787}} For instance, if the attacker is trying to attack [[Gmail]], they could try to find a search URL that returns
To circumvent this security barrier, the attacker can use browser-leak methods, to distinguish subtle differences between different responses. Browser leak methods are [[JavaScript]], [[CSS]] or [[HTML]] snippets that leverage long-standing [[information leakage]] issues ([[Side-channel attack|side channels]]) in the web browser to reveal specific characteristics about a HTTP response.{{sfn|Rautenstrauch|Pellegrino|Stock|2023|p=2747}}{{sfn|Van Goethem|Franken|Sanchez-Rola|Dworken|2022|p=787}} In the case of Gmail, the attacker could use JavaScript to time how long the browser took to [[Parsing|parse]] the HTTP response returned by the search result. If the time taken to parse the response returned by the endpoint was low, the attacker could infer that there were no search results for their query. Alternatively, if the site took longer, the attacker could infer that multiple search results were returned.{{sfn|Gelernter|Herzberg|2015|pp=1399–1402}} The attacker can subsequently use the information gained through these information leakages to exfiltrate sensitive information, which can be used to track and [[Data re-identification|deanonymize]] the victim.{{sfn|Sudhodanan|Khodayari|Caballero|2020|p=1}} In the case of Gmail, the attacker could make a request to the search endpoint with a query and subsequently measure the time the query took to figure out whether or not the user had any emails containing a specific query string.{{refn|group=note|An example of such a query could be the name of a well known bank, or the contact information of a person or organization that the user is expected to have interacted with.{{sfn|Gelernter|Herzberg|2015|p=1400}}}} If a response takes very little time to be processed, the attacker can assume that no search results were returned. Conversely, if a response takes a large amount amount of time to be processed, the attacker infer that a lot of search results were returned. By making multiple requests, an attacker could gain significant insight into the current state of the victim application, potentially revealing private information of a user, helping launch sophisticated spamming and phishing attacks.{{sfn|Gelernter|Herzberg|2015|p=1400}}
== History ==
Cross-site leaks have been known about since 2000;{{sfn|Rautenstrauch|Pellegrino|Stock|2023|p=2754}} research papers dating from that year from [[Purdue University]] describe a theoretical attack that uses the HTTP cache to compromise the privacy of a user's browsing habits.{{sfn|Felten|Schneider|2000|pp=25,26,27,31}} In 2007, Andrew Bortz and [[Dan Boneh]] from [[Stanford University]] published a white paper detailing an attack that made use of timing information to determine the size of cross-site responses.{{sfn|Bortz|Boneh|2007|pp=623–625}} In 2015, researchers from [[Bar-Ilan University]] described a cross-site search attack that used similar leaking methods.
Independent security researchers have published blog posts describing cross-site leak attacks against real-world applications. In 2009, Chris Evans described an attack against [[Yahoo! Mail]] via which a malicious site could search a user's inbox for sensitive information.<ref name="PortSwigger">{{Cite web |last=Walker |first=James |date=2019-03-21 |title=New XS-Leak techniques reveal fresh ways to expose user information |url=https://portswigger.net/daily-swig/new-xs-leak-techniques-reveal-fresh-ways-to-expose-user-information |url-status=live |archive-url=https://web.archive.org/web/20231029162650/https://portswigger.net/daily-swig/new-xs-leak-techniques-reveal-fresh-ways-to-expose-user-information |archive-date=2023-10-29 |access-date=2023-10-29 |website=The Daily Swig |language=en}}</ref> In 2018, Luan Herrara
As part of its increased focus on dealing with security issues that depend on misusing long-standing [[Web platform|web-platform]] features, Google launched XSLeaks Wiki in 2020.
Since 2020, there has been some interest among the academic security community in standardizing the classification of these attacks. In 2020, Sudhodanan et al. were among the first to systematically summarize previous work in cross-site leaks, and developed a tool called BASTA-COSI that could be used to detect leaky URLs.
== Threat model ==
The [[threat model]] of a cross-site leak relies on the attacker being able to direct the victim to a malicious website that is at least partially under the attacker's control. The attacker can accomplish this by compromising a web page, by phishing the user to a web page and loading arbitrary code, or by using a malicious advertisement on an otherwise-safe web page.{{sfn|Van Goethem|Franken|Sanchez-Rola|Dworken|2022|p=786}}{{sfn|Sudhodanan|Khodayari|Caballero|2020|p=11}}
Line 53:
While initially used only to differentiate between the time it took for a HTTP request to resolve a response,{{sfn|Bortz|Boneh|2007|pp=623–625}} research performed after 2007 has demonstrated the use of this leak technique to detect other differences across web-app states. In 2017, Vila et al. showed timing attacks could infer cross-origin execution times across embedded contexts. This was made possible by a lack of [[site isolation]] features in contemporaneous browsers, which allowed an attacking website to slow down and amplify timing differences caused by differences in the amount of JavaScript being executed when events were sent to a victim web app.{{sfn|Vila|Köpf|2017|pp=851–853}}{{sfn|Van Goethem|Franken|Sanchez-Rola|Dworken|2022|p=796}}
In 2021, Knittel et al. showed the Performance API{{refn|group=note|The Performance API is a set of Javascript functions that allow websites to retrieve various [[Web performance#Metrics|metrics associated with web performance]]<ref>{{Cite web |date=2023-02-19 |title=Performance - Web APIs {{!}} MDN |url=https://developer.mozilla.org/en-US/docs/Web/API/Performance |access-date=2024-03-11 |website=[[MDN Web Docs]] |language=en-US}}</ref>}} could leak the presence or absence of redirects in responses. This was possible due to a bug in the Performance API that allowed the amount of time shown to the user to be negative when a redirect occurred. [[Google Chrome]] subsequently fixed this bug.{{sfn|Knittel|Mainka|Niemietz|Noß|2021|p=1778}} In 2023, Snyder et al. showed timing attacks could be used to perform pool-party attacks in which websites could block shared resources by exhausting their global quota. By making the victim web app execute JavaScript that used these shared resources and then timing how long these executions took, the researchers were able to reveal information about the state of a web app.
=== Error events ===
Line 116:
== Defences ==
Most modern defences are extensions to the HTTP protocol that either prevent state changes, make cross-origin requests [[Stateless protocol|stateless]], or completely isolate shared resources across multiple origins.{{sfn|Knittel|Mainka|Niemietz|Noß|2021|p=1780}}
Line 217:
* {{Cite book |last1=Van Goethem |first1=Tom |title=Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security |last2=Franken |first2=Gertjan |last3=Sanchez-Rola |first3=Iskander |last4=Dworken |first4=David |last5=Joosen |first5=Wouter |date=2022-05-30 |publisher=Association for Computing Machinery |isbn=978-1-4503-9140-5 |pages=784–798 |language=en |chapter=SoK: Exploring Current and Future Research Directions on XS-Leaks through an Extended Formal Model |doi=10.1145/3488932.3517416 |doi-access=free |s2cid=248990284}}{{Creative Commons text attribution notice|cc=by4|author(s)=Tom Van Goethem, Gertjan Franken, Iskander Sanchez-Rola, David Dworken and Wouter Joosen}}
* {{Cite book |last1=Van Goethem |first1=Tom |title=2023 IEEE Security and Privacy Workshops (SPW) |last2=Sanchez-Rola |first2=Iskander |last3=Joosen |first3=Wouter |date=2023 |publisher=IEEE |isbn=979-8-3503-1236-2 |pages=371–383 |language=en-US |chapter=Scripted Henchmen: Leveraging XS-Leaks for Cross-Site Vulnerability Detection |doi=10.1109/SPW59333.2023.00038 |access-date=2023-11-07 |chapter-url=https://ieeexplore.ieee.org/document/10188656 |s2cid=259267534 |s2cid-access=free}}
* {{Cite book|
* {{Cite book |last1=Van Goethem |first1=Tom |last2=Joosen |first2=Wouter |last3=Nikiforakis |first3=Nick |chapter=The Clock is Still Ticking: Timing Attacks in the Modern Web |date=2015-10-12 |title=Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security |chapter-url=https://doi.org/10.1145/2810103.2813632 |series=CCS '15 |publisher=Association for Computing Machinery |pages=1382–1393 |doi=10.1145/2810103.2813632 |isbn=978-1-4503-3832-5|s2cid=17705638|s2cid-access=free }}
* {{Cite journal |last1=Vila |first1=Pepe |last2=Köpf |first2=Boris |date=2017 |title=Loophole: Timing Attacks on Shared Event Loops in Chrome |url=https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/vila |journal=SEC'17: Proceedings of the 26th USENIX Conference on Security Symposium |language=en |pages=849–864 |arxiv=1702.06764 |isbn=978-1-931971-40-9}}
* {{Cite book |last1=Zaheri |first1=Mojtaba |title=Security and Privacy in Communication Networks |last2=Curtmola |first2=Reza |date=2021 |publisher=Springer International Publishing |isbn=978-3-030-90022-9 |editor-last=Garcia-Alfaro |editor-first=Joaquin |series=Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering |volume=399 |pages=143–163 |language=en |chapter=Leakuidator: Leaky Resource Attacks and Countermeasures |doi=10.1007/978-3-030-90022-9_8|doi-access=free |editor2-last=Li |editor2-first=Shujun |editor3-last=Poovendran |editor3-first=Radha |editor4-last=Debar |editor4-first=Hervé |editor5-last=Yung |editor5-first=Moti |s2cid=237476137}}
* {{Cite journal |last1=Zaheri |first1=Mojtaba |last2=Oren |first2=Yossi |last3=Curtmola |first3=Reza |date=2022 |title=Targeted Deanonymization via the Cache Side Channel: Attacks and Defenses |url=https://www.usenix.org/conference/usenixsecurity22/presentation/zaheri |language=en |pages=1505–1523 |journal=Proceedings of the 31th USENIX Conference on Security Symposium |series=SEC '22 |isbn=978-1-939133-31-1 |s2cid=251092191 |s2cid-access=free}}
* {{Cite book |last=Zalewski |first=Michal |url=https://books.google.com/books?id=NU3wOk2jzWsC
{{refend}}
|