Wikipedia

Cross-site leaks: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Reverting edit(s) by Sohom Datta (talk) to rev. 1215498024 by Citation bot: Vandalism (from contribs) (RW 16.1)
Tags: RW Undo Reverted
Undid revision 1215610339 by Sohom Datta (talk) accidental undo while testing stuff unrelated to this article, ignore me
Line 4:
{{Use Oxford spelling|date=March 2024}}
 
In [[internet security]], '''cross-site leaks''', also known as '''XS-leaks''', are a class of attacks that allow an attacker to access sensitive information about a user's interactions with other websites. Typically, a website will interact with more web servers using the [[hypertextWeb transferbrowser|Web protocolbrowsers]] (HTTP) protocol. To prevent unwanted access to these interactions, the browser will block any other untrusted websites from accessingseeing thethis HTTPinformation responses from these servers usingthrough a set of rules called the [[same-origin policy]]. Cross-site leaks, however, circumvent thisthese restrictionrules by using techniques that abuse [[Web API|features in the web browser]] that have historically been known to leakreveal information about other websites. These attacks are often initiated through [[phishing]] or other social engineering tactics,by enticing users to visit the attacker's website. Upon visiting, embeddedthe [[JavaScript]]attacker isuses utilizedmalicious bycode theon attackertheir website to sendinteract maliciouswith HTTPother requestswebsites. toThis anothercan webbe app,used withby thea aimattacker ofto extracting informationlearn about athe user's interactionsprevious withactions on the webwebsite. app,The aiminginformation tofrom this attack can [[Data re-identification|deanonymizeuniquely identifing]] the user to the attacker.
 
These attacks have been documented since 2000. One of the first research papers on the topic was published by researchers at [[Purdue University]]. The paper described an attack where the [[web cache]] was exploited to gather information about a website. Since then, cross-site leaks have become increasingly sophisticated. Researchers have found newer leaks targeting various web browser components. While the efficacy of some of these techniques varies, newer techniques are continually being discovered. Some older methods are blocked through updates to browser software. The introduction and removal of features on the Internet also lead to some attacks being rendered ineffective.
Line 10:
Cross-site leaks are a diverse form of attack, and there is no consistent classification of such attacks. Multiple sources classify cross-site leaks by the technique used to leak information. Among the well-known cross-site leaks are timing attacks, which depend on timing events within the web browser. Error events constitute another category, using the presence or absence of events to disclose data. Additionally, [[Cache timing attack|cache-timing attacks]] rely on the web cache to unveil information. Since 2023, newer attacks that use operating systems and web browser limits to leak information have also been found.
 
Before 2017, defending against cross-site leaks was considered to be difficult. This was because many of the information leakage issues exploited by cross-site leak attacks were inherent to the way websites worked. Most defences against this class of attacks have been introduced after 2017 in the form of extensions to the [[HTTP|hypertext transfer protocol]] (HTTP). These extensions allow websites to instruct the browser to disallow or annotate certain kinds of [[State (computer science)|stateful]] requests coming from other websites. One of the most successful approaches browsers have implemented is [[SameSite cookie|SameSite]] cookies. SameSite cookies allow websites to set a directive that prevents other websites from accessing and sending sensitive cookies. Another defences involves using [[List of HTTP header fields|HTTP headers]] to restrict which websites can embed a particular site. Cache partitioning also serves as a defence against cross-site leaks, preventing other websites from using the web cache to exfiltrate data.
 
== Background ==
Line 31:
The [[threat model]] of a cross-site leak relies on the attacker being able to direct the victim to a malicious website that is at least partially under the attacker's control. The attacker can accomplish this by compromising a web page, by phishing the user to a web page and loading arbitrary code, or by using a malicious advertisement on an otherwise-safe web page.{{sfn|Van Goethem|Franken|Sanchez-Rola|Dworken|2022|p=786}}{{sfn|Sudhodanan|Khodayari|Caballero|2020|p=11}}
 
To performcarry out a cross-site leak attack, thean attacker must identifyfirst atstudy leasthow onea [[Statewebsite (computerinteracts science)|state-dependent]]with URLusers. inThey theneed victimto appidentify fora usespecific in[[URL]] thethat attackproduces app.different Depending[[HTTP|Hyper onText theTransfer victimProtocol]] app's(HTTP) state,responses thisbased [[URL]]on mustthe provideuser's atpast leastactions twoon differentthe [[HTTP]] responsessite.{{sfn|Rautenstrauch|Pellegrino|Stock|2023|p=2747}}{{sfn|Van Goethem|Franken|Sanchez-Rola|Dworken|2022|p=787}} For instance, if the attacker is trying to attack [[Gmail]], they could try to find a search URL that returns an different HTTP response based on how many search results are found for a specific search term in a user's emails.{{sfn|Gelernter|Herzberg|2015|pp=1399–1402}} Once an attacker finds a specific URL, they can then host a website and [[Phishing|phish]] or otherwise lure unsuspecting users to the website. Once the victim is on the attacker's website, the attacker can use various embedding techniques to initiate cross-origin HTTP requests to the state-dependent URL identified by the attacker.{{sfn|Sudhodanan|Khodayari|Caballero|2020|p=1}} However, since the attacker is on a different website, the [[same-origin policy]] imposed by the web browser will prevent the attacker from directly reading any part of the response sent by the vulnerable website.{{refn|group=note|This includes metadata associated with the response like status codes and HTTP headers{{sfn|Van Goethem|Vanhoef|Piessens|Joosen|2016|p=448}}}}{{sfn|Van Goethem|Vanhoef|Piessens|Joosen|2016|p=448}}
 
To circumvent this security barrier, the attacker can use browser-leak methods, to distinguish subtle differences between different responses. Browser leak methods are [[JavaScript]], [[CSS]] or [[HTML]] snippets that leverage long-standing [[information leakage]] issues ([[Side-channel attack|side channels]]) in the web browser to reveal specific characteristics about a HTTP response.{{sfn|Rautenstrauch|Pellegrino|Stock|2023|p=2747}}{{sfn|Van Goethem|Franken|Sanchez-Rola|Dworken|2022|p=787}} In the case of Gmail, the attacker could use JavaScript to time how long the browser took to [[Parsing|parse]] the HTTP response returned by the search result. If the time taken to parse the response returned by the endpoint was low, the attacker could infer that there were no search results for their query. Alternatively, if the site took longer, the attacker could infer that multiple search results were returned.{{sfn|Gelernter|Herzberg|2015|pp=1399–1402}} The attacker can subsequently use the information gained through these information leakages to exfiltrate sensitive information, which can be used to track and [[Data re-identification|deanonymize]] the victim.{{sfn|Sudhodanan|Khodayari|Caballero|2020|p=1}} In the case of Gmail, the attacker could make a request to the search endpoint with a query and subsequently measure the time the query took to figure out whether or not the user had any emails containing a specific query string.{{refn|group=note|An example of such a query could be the name of a well known bank, or the contact information of a person or organization that the user is expected to have interacted with.{{sfn|Gelernter|Herzberg|2015|p=1400}}}} If a response takes very little time to be processed, the attacker can assume that no search results were returned. Conversely, if a response takes a large amount amount of time to be processed, the attacker infer that a lot of search results were returned. By making multiple requests, an attacker could gain significant insight into the current state of the victim application, potentially revealing private information of a user, helping launch sophisticated spamming and phishing attacks.{{sfn|Gelernter|Herzberg|2015|p=1400}}
 
While every method of initiating a cross-origin request to a URL in a web page can be combined with every browser-leak method, this does not work in practice because dependencies exist between different inclusion methods and browser leaks. Some browser-leak methods require specific inclusion techniques to succeed.{{sfn|Van Goethem|Franken|Sanchez-Rola|Dworken|2022|p=788}} For example, if the browser-leak method relies on checking CSS attributes such as the width and height of an element, the inclusion technique must use an [[HTML element]] with a width and height property, such as an image element, that changes when a cross-origin request returns an invalid or a differently sized image.{{sfn|Rautenstrauch|Pellegrino|Stock|2023|p=2745}}{{sfn|Van Goethem|Franken|Sanchez-Rola|Dworken|2022|p=785}}
Line 107:
 
=== Global limits ===
Global limits, which are also known as pool-party attacks, do not directly rely on the state of the victim web app. This cross-site leak was first discovered by Knittel et al. in 2020 and then expanded by Snyder et al. in 2023.{{sfn|Snyder|Karami|Edelstein|Livshits|2023|p=7095}} The attack to abuses global operating systems or hardware limitations to starve shared resources.{{sfn|Snyder|Karami|Edelstein|Livshits|2023|pp=7096,7097}} Global limits that could be abused include the number of [[Network socket|raw socket]] connections that can be registered and the number of [[Web worker|service workers]] that can be registered. An attacker can infer the state of the victim website by performing an activity that triggers these global limits and comparing any differences in browser behaviour when the same activity is performed without the victim website being loaded.{{sfn|Knittel|Mainka|Niemietz|Noß|2021|pp=1782,1776–1778}}. Since these types of attacks typically also require timing attacks[[side channels]], they are also considered timing attacks.{{sfn|Snyder|Karami|Edelstein|Livshits|2023|p=7095}}
 
=== Other techniques ===
Line 189:
* {{Cite book |last1=Knittel |first1=Lukas |title=Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security |last2=Mainka |first2=Christian |last3=Niemietz |first3=Marcus |last4=Noß |first4=Dominik Trevor |last5=Schwenk |first5=Jörg |date=2021-11-12 |publisher=Association for Computing Machinery |isbn=978-1-4503-8454-4 |pages=1771–1788 |language=en |chapter=XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers |doi=10.1145/3460120.3484739 |doi-access=free |s2cid=244077807}}
* {{Cite journal |last1=Mishra |first1=Vikas |last2=Laperdrix |first2=Pierre |last3=Rudametkin |first3=Walter |last4=Rouvoy |first4=Romain |date=2021 |title=Déjà vu: Abusing Browser Cache Headers to Identify and Track Online Users |url=https://petsymposium.org/popets/2021/popets-2021-0033.php |journal=Proceedings on Privacy Enhancing Technologies |volume=2021 |issue=2 |pages=391–406 |doi=10.2478/popets-2021-0033 |issn=2299-0984 |s2cid=231779262 |doi-access=free |access-date=2023-10-29 |archive-date=2023-10-29 |archive-url=https://web.archive.org/web/20231029200010/https://petsymposium.org/popets/2021/popets-2021-0033.php |url-status=live |hdl=20.500.12210/57495 |hdl-access=free }}
* {{Cite book |last1=Rautenstrauch |first1=Jannis |title=2023 IEEE Symposium on Security and Privacy (SP) |last2=Pellegrino |first2=Giancarlo |last3=Stock |first3=Ben |date=2023-05-21 |publisher=IEEE |isbn=978-1-6654-9336-9 |pages=2744–2760 |chapter=The Leaky Web: Automated Discovery of Cross-Site Information Leaks in Browsers and the Web |doi=10.1109/SP46215.2023.10179311 |chapter-url=https://ieeexplore.ieee.org/document/10179311 |s2cid=259321089 |url=https://figshare.com/articles/conference_contribution/The_Leaky_Web_Automated_Discovery_of_Cross-Site_Information_Leaks_in_Browsers_and_the_Web/24614724 |s2cid-access=free |via=CISPA – Helmholtz Center for Information Security Publication Database}}
* {{Cite book |last1=Reis |first1=Charles |title=SEC'19: Proceedings of the 28th USENIX Conference on Security Symposium |last2=Moshchuk |first2=Alexander |last3=Oskov |first3=Nasko |date=2019 |publisher=USENIX Association |isbn=978-1-939133-06-9 |pages=1661–1678 |language=en |chapter=Site Isolation: Process Separation for Web Sites within the Browser |access-date=2023-11-07 |chapter-url=https://www.usenix.org/conference/usenixsecurity19/presentation/reis |archive-url=https://web.archive.org/web/20231107084829/https://www.usenix.org/conference/usenixsecurity19/presentation/reis |archive-date=2023-11-07 |url-status=live |s2cid=199522067 |s2cid-access=free}}
* {{Cite book |last1=Schwenk |first1=Jörg |last2=Niemietz |first2=Marcus |last3=Mainka |first3=Christian |date=2017 |title={Same-Origin} Policy: Evaluation in Modern Browsers |url=https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/schwenk |language=en |pages=713–727 |publisher=USENIX Association |s2cid=9641053 |isbn=978-1-931971-40-9 |s2cid-access=free}}
Line 218:
* {{Cite book |last1=Van Goethem |first1=Tom |title=Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security |last2=Franken |first2=Gertjan |last3=Sanchez-Rola |first3=Iskander |last4=Dworken |first4=David |last5=Joosen |first5=Wouter |date=2022-05-30 |publisher=Association for Computing Machinery |isbn=978-1-4503-9140-5 |pages=784–798 |language=en |chapter=SoK: Exploring Current and Future Research Directions on XS-Leaks through an Extended Formal Model |doi=10.1145/3488932.3517416 |doi-access=free |s2cid=248990284}}{{Creative Commons text attribution notice|cc=by4|author(s)=Tom Van Goethem, Gertjan Franken, Iskander Sanchez-Rola, David Dworken and Wouter Joosen}}
* {{Cite book |last1=Van Goethem |first1=Tom |title=2023 IEEE Security and Privacy Workshops (SPW) |last2=Sanchez-Rola |first2=Iskander |last3=Joosen |first3=Wouter |date=2023 |publisher=IEEE |isbn=979-8-3503-1236-2 |pages=371–383 |language=en-US |chapter=Scripted Henchmen: Leveraging XS-Leaks for Cross-Site Vulnerability Detection |doi=10.1109/SPW59333.2023.00038 |access-date=2023-11-07 |chapter-url=https://ieeexplore.ieee.org/document/10188656 |s2cid=259267534 |s2cid-access=free}}
* {{Cite book|last1last=Van Goethem |first1first=Tom |last2=Vanhoef |first2=Mathy |last3=Piessens |first3=Frank |last4=Joosen |first4=Wouter |date=2016 |title=Request and Conquer: Exposing {Cross-Origin} Resource Size |url=https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/vangoethem |language=en |pages=447–462 |isbn=978-1-931971-32-4}}
* {{Cite book |last1=Van Goethem |first1=Tom |last2=Joosen |first2=Wouter |last3=Nikiforakis |first3=Nick |chapter=The Clock is Still Ticking: Timing Attacks in the Modern Web |date=2015-10-12 |title=Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security |chapter-url=https://doi.org/10.1145/2810103.2813632 |series=CCS '15 |publisher=Association for Computing Machinery |pages=1382–1393 |doi=10.1145/2810103.2813632 |isbn=978-1-4503-3832-5|s2cid=17705638|s2cid-access=free }}
* {{Cite journal |last1=Vila |first1=Pepe |last2=Köpf |first2=Boris |date=2017 |title=Loophole: Timing Attacks on Shared Event Loops in Chrome |url=https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/vila |journal=SEC'17: Proceedings of the 26th USENIX Conference on Security Symposium |language=en |pages=849–864 |arxiv=1702.06764 |isbn=978-1-931971-40-9}}
* {{Cite book |last1=Zaheri |first1=Mojtaba |title=Security and Privacy in Communication Networks |last2=Curtmola |first2=Reza |date=2021 |publisher=Springer International Publishing |isbn=978-3-030-90022-9 |editor-last=Garcia-Alfaro |editor-first=Joaquin |series=Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering |volume=399 |pages=143–163 |language=en |chapter=Leakuidator: Leaky Resource Attacks and Countermeasures |doi=10.1007/978-3-030-90022-9_8|doi-access=free |editor2-last=Li |editor2-first=Shujun |editor3-last=Poovendran |editor3-first=Radha |editor4-last=Debar |editor4-first=Hervé |editor5-last=Yung |editor5-first=Moti |s2cid=237476137}}
* {{Cite journal |last1=Zaheri |first1=Mojtaba |last2=Oren |first2=Yossi |last3=Curtmola |first3=Reza |date=2022 |title=Targeted Deanonymization via the Cache Side Channel: Attacks and Defenses |url=https://www.usenix.org/conference/usenixsecurity22/presentation/zaheri |language=en |pages=1505–1523 |journal=Proceedings of the 31th USENIX Conference on Security Symposium |series=SEC '22 |isbn=978-1-939133-31-1 |s2cid=251092191 |s2cid-access=free}}
* {{Cite book |last=Zalewski |first=Michal |url=https://books.google.com/books?id=NU3wOk2jzWsC&newbks=0&hl=en |title=The Tangled Web: A Guide to Securing Modern Web Applications |date=2011-11-15 |publisher=No Starch Press |isbn=978-1-59327-388-0 |language=en}}
{{refend}}
 
Line 229:
{{refbegin}}
* {{Cite book |last1=Knittel |first1=Lukas |title=Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security |last2=Mainka |first2=Christian |last3=Niemietz |first3=Marcus |last4=Noß |first4=Dominik Trevor |last5=Schwenk |first5=Jörg |date=2021-11-12 |publisher=Association for Computing Machinery |isbn=978-1-4503-8454-4 |pages=1771–1788 |language=en |chapter=XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers |doi=10.1145/3460120.3484739 |doi-access=free |s2cid=244077807 |ref=none}}
* {{Cite book |last1=Rautenstrauch |first1=Jannis |title=2023 IEEE Symposium on Security and Privacy (SP) |last2=Pellegrino |first2=Giancarlo |last3=Stock |first3=Ben |date=2023-05-21 |publisher=IEEE |isbn=978-1-6654-9336-9 |pages=2744–2760 |chapter=The Leaky Web: Automated Discovery of Cross-Site Information Leaks in Browsers and the Web |doi=10.1109/SP46215.2023.10179311 |chapter-url=https://ieeexplore.ieee.org/document/10179311 |s2cid=259321089 |url=https://figshare.com/articles/conference_contribution/The_Leaky_Web_Automated_Discovery_of_Cross-Site_Information_Leaks_in_Browsers_and_the_Web/24614724 |s2cid-access=free |via=CISPA – Helmholtz Center for Information Security Publication Database |ref=none}}
* {{Cite book |last1=Van Goethem |first1=Tom |title=Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security |last2=Franken |first2=Gertjan |last3=Sanchez-Rola |first3=Iskander |last4=Dworken |first4=David |last5=Joosen |first5=Wouter |date=2022-05-30 |publisher=Association for Computing Machinery |isbn=978-1-4503-9140-5 |pages=784–798 |language=en |chapter=SoK: Exploring Current and Future Research Directions on XS-Leaks through an Extended Formal Model |doi=10.1145/3488932.3517416 |doi-access=free |s2cid=248990284 |ref=none}}
* {{cite conference
Retrieved from "https://en.wikipedia.org/wiki/Cross-site_leaks"