Content deleted Content added
Sohom Datta (talk | contribs) is that better, we remove some of the technical language Tags: Reverted Visual edit |
Sohom Datta (talk | contribs) →Mechanism: add back the explanation of how responses are distinguished Tag: Reverted |
||
Line 33:
To perform a cross-site leak, the attacker must identify at least one [[State (computer science)|state-dependent]] URL in the victim app for use in the attack app. Depending on the victim app's state, this [[URL]] must provide at least two different [[HTTP]] responses.{{sfn|Rautenstrauch|Pellegrino|Stock|2023|p=2747}}{{sfn|Van Goethem|Franken|Sanchez-Rola|Dworken|2022|p=787}} For instance, if the attacker is trying to attack [[Gmail]], they could try to find a search URL that returns an different HTTP response based on how many search results are found for a specific search term in a user's emails.{{sfn|Gelernter|Herzberg|2015|pp=1399–1402}} Once an attacker finds a specific URL, they can then host a website and [[Phishing|phish]] or otherwise lure unsuspecting users to the website. Once the victim is on the attacker's website, the attacker can use various embedding techniques to initiate cross-origin HTTP requests to the state-dependent URL identified by the attacker.{{sfn|Sudhodanan|Khodayari|Caballero|2020|p=1}} However, since the attacker is on a different website, the [[same-origin policy]] imposed by the web browser will prevent the attacker from directly reading any part of the response sent by the vulnerable website.{{refn|group=note|This includes metadata associated with the response like status codes and HTTP headers{{sfn|Van Goethem|Vanhoef|Piessens|Joosen|2016|p=448}}}}{{sfn|Van Goethem|Vanhoef|Piessens|Joosen|2016|p=448}}
To circumvent this security barrier, the attacker can use browser-leak methods, to distinguish subtle differences between different responses. Browser leak methods are [[JavaScript]], [[CSS]] or [[HTML]] snippets that leverage long-standing [[information leakage]] issues ([[Side-channel attack|side channels]]) in the web browser to reveal specific characteristics about a HTTP response.{{sfn|Rautenstrauch|Pellegrino|Stock|2023|p=2747}}{{sfn|Van Goethem|Franken|Sanchez-Rola|Dworken|2022|p=787}} In the case of Gmail, the attacker could use JavaScript to time how long the browser took to [[Parsing|parse]] the HTTP response returned by the search result. If the time taken to parse the response returned by the endpoint was low, the attacker could infer that there were no search results for their query. Alternatively, if the site took longer, the attacker could infer that multiple search results were returned.{{sfn|Gelernter|Herzberg|2015|pp=1399–1402}} The attacker can subsequently use the information gained through these information leakages to exfiltrate sensitive information, which can be used to track and [[Data re-identification|deanonymize]] the victim.{{sfn|Sudhodanan|Khodayari|Caballero|2020|p=1}} In the case of Gmail, the attacker could make a request to the search endpoint with a query and subsequently measure the time the query took to figure out whether or not the user had any emails containing a specific query string.{{refn|group=note|An example of such a query could be the name of a well known bank, or the contact information of a person or organization that the user is expected to have interacted with.{{sfn|Gelernter|Herzberg|2015|p=1400}}}} If a response takes very little time to be processed, the attacker can assume that no search results were returned. Conversely, if a response takes a large amount amount of time to be processed, the attacker infer that a lot of search results were returned. By making multiple requests, an attacker could gain significant insight into the current state of the victim application, potentially revealing private information of a user, helping launch sophisticated spamming and phishing attacks.{{sfn|Gelernter|Herzberg|2015|p=1400}}
While every method of initiating a cross-origin request to a URL in a web page can be combined with every browser-leak method, this does not work in practice because dependencies exist between different inclusion methods and browser leaks. Some browser-leak methods require specific inclusion techniques to succeed.{{sfn|Van Goethem|Franken|Sanchez-Rola|Dworken|2022|p=788}} For example, if the browser-leak method relies on checking CSS attributes such as the width and height of an element, the inclusion technique must use an [[HTML element]] with a width and height property, such as an image element, that changes when a cross-origin request returns an invalid or a differently sized image.{{sfn|Rautenstrauch|Pellegrino|Stock|2023|p=2745}}{{sfn|Van Goethem|Franken|Sanchez-Rola|Dworken|2022|p=785}}
| |||