https://cfp.nonamecon.org/nnc2020/talk/9LMJAH/ For many years, injection-based vulnerabilities such as XSS and SQL-injection have dominated the web security landscape. However, as browsers and applications are becoming increasingly complex, new vulnerability classes surface. One of these new-kids-on-the-block is XSLeaks, a vulnerability class that exploit side-channel leaks in the browser to extract information across origins. In this presentation, I will describe the various types of leaks in different browser features and the network layer, and discuss how these issues can be exploited to extract sensitive information from an unwitting victim. Furthermore, the talk will cover the numerous (new) defences that need to be adopted in order to safeguard web applications (SameSite cookies, COOP, COEP, ...), and their potential shortcomings. Finally, we will take a peak into the future, and discuss how XSLeaks will likely evolve in the coming months and years.

1. HELP!
my browser
is
leaking
byTomVan Goethem

2. The modern-day browser
Processing and
rendering resources
HTTP/2 or HTTP/1.1
over TLS over TCP
Cache and
local storage
Many, many, many features

3. https://secure-bank.com

4. https://secure-bank.com https://cute-kittens.com

5. https://secure-bank.com https://cute-kittens.com

6. https://secure-bank.com https://cute-kittens.com

7. • Leak security information
• CSRF token (may lead to full account compromise)
• Determine the user’s identity
• Spear phishing
• User profiling
• Perform search queries under the victim’s credentials
• Leak secrets that only the victim has access to
• Extract privacy-sensitive content
• Which websites is the user logged in to?
An attacker may try to…
5

8. • Same-origin policy prevents site-A from accessing contents of site-B
• XSLeaks abuse side-channel information to leak metadata information
• Response timing
• Firing of events (order & time)
• Size of response
• …
• Metadata is dependent on the state of the user
• Search query has results → large response
• No results → small response
XSLeaks
6

9. • Response status
• Redirect (30x), 404, …
• Cache status
• Cached resources load much faster
• Rendered content & operations
• frames.length
• postMessage()
• …
7
Categories of XSLeaks

10. • Browser-based timing side-channels
• HEIST
Response size Server processing time
• Timeless timing attacks
In this presentation…

12. GET /transactions?to=tomvg

14. <h1>no results</h1>

15. <h1>no results</h1>

16. <h1>no results</h1>

18. GET /transactions?to=h4x0r

19. <h1>17 transactions</h1>
<ul>
<li>2017-06-19 $1,337,000 NSA hack</li>
<li>2020-09-04 $31,337 NNC hack</li>
...

20. <h1>17 transactions</h1>
<ul>
<li>2017-06-19 $1,337,000 NSA hack</li>
<li>2020-09-04 $31,337 NNC hack</li>
...

21. <h1>17 transactions</h1>
<ul>
<li>2017-06-19 $1,337,000 NSA hack</li>
<li>2020-09-04 $31,337 NNC hack</li>
...

22. • Measures time download resource
• Accuracy depends on Internet connection of the victim
• Not under control of the attacker
• Jitter may render attack ineffective
• Need attack that is not affected by network conditions…
11
const start = performance.now();
fetch('https://example.com/url').then((response) => {
const end = performance.now();
analyze(end - start);
});

23. • Timing starts after resource has been downloaded
• Not affected by network condition
• Time to parse resource as video depends on its size
• Has been mitigated
• Error is thrown before response is parsed
• Chrome: CORB - Firefox: MIME-type checking
12
const video = document.createElement('video');
let start;
video.addEventListener('suspend', () => {
start = performance.now();
});
video.addEventListener('error', () => {
const end = performance.now();
analyze(end - start);
});
video.src = 'https://example.com/url';

24. • Timing starts after resource has been downloaded
• Not affected by network condition
• Time to add/remove resource from cache is related to size
• Mitigated in Chrome: CORB
• Still possible to abuse in Firefox
13
const cache = await caches.open('nnc');
const url = 'https://example.com/url';
const opts = {"credentials": "include", "mode": "no-cors"};
const resp = await fetch(url, opts);
const bogusReq = '/foo' + Math.random();
const start = performance.now();
await cache.put(bogusReq, resp.clone());
await cache.delete(bogusReq);
const end = performance.now();
analyze(end - start);

25. • Operations performed on resources after they have been
downloaded
• Not affected by network conditions of victim
• Examples:
• Parsing resource in a specific format
• Persisting resource to disk
• Effective countermeasures: discard operations on cross-origin
resources before any operations
Browser-basedTiming Attacks
14

26. HEIST

27. fetch('https://example.com/url');

28. example.com

29. example.com
GET /url HTTP/1.1
Origin: example.com
Accept: text/html

30. example.com
GET /url HTTP/1.1
Origin: example.com
Accept: text/html
TLS

31. example.com
GET /url HTTP/1.1
Origin: example.com
Accept: text/html
TLS
TCP

32. example.com
GET /url HTTP/1.1
Origin: example.com
Accept: text/html
TLS
TCP
481 bytes

33. example.com
GET /url HTTP/1.1
Origin: example.com
Accept: text/html
TLS
TCP
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 9840
<!DOCTYPE html><html>...
481 bytes

34. example.com
GET /url HTTP/1.1
Origin: example.com
Accept: text/html
TLS
TCP
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 9840
<!DOCTYPE html><html>...
481 bytes
1448 bytes

35. example.com
GET /url HTTP/1.1
Origin: example.com
Accept: text/html
TLS
TCP
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 9840
<!DOCTYPE html><html>...
481 bytes
1448 bytes 1448 bytes

36. example.com
GET /url HTTP/1.1
Origin: example.com
Accept: text/html
TLS
TCP
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 9840
<!DOCTYPE html><html>...
481 bytes
1448 bytes 1448 bytes 1448 bytes

37. example.com
GET /url HTTP/1.1
Origin: example.com
Accept: text/html
TLS
TCP
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 9840
<!DOCTYPE html><html>...
481 bytes
1448 bytes 1448 bytes 1448 bytes
...

38. example.com

39. example.com

40. example.com

41. example.com

42. example.com
10 TCP packets
(= 1 TCP window)

43. example.com
10 TCP packets
(= 1 TCP window)
ACK

44. example.com
10 TCP packets
(= 1 TCP window)
...
ACK
rest of response

45. • Response is <= 14480 bytes: everything fits in single TCP window
• Response is > 14480 bytes: multiple TCP windows required
• Server needs to wait for ACK from client
• Additional round-trip
• Detect one or multiple round-trips? => leak information about size
TCP windows
19

46. const url = 'https://example.com/url';
fetch(url).then((response) => {
// first byte of response received
const firstByte = performance.now();
});
const entry = performance.getEntriesByName(url)[0];
// last byte of response received
const lastByte = entry.responseEnd;
if (lastByte - firstByte < 5) {
// 1 TCP window
} else {
// multiple TCP windows
}

47. • GZIP uses backreferences to compress content
GZIP compression
21
<html>
<h1>Welcome {{username}}</h1>
...
secret=NoNameCon
...
<html>
<h1>Welcome Tom</h1>
...
secret=NoNameCon
...
<html>
<h1>Welcome secret=</h1>
...
@-17,7NoNameCon
...

48. <html>
<h1>Welcome {{username}}</h1>
...
secret=NoNameCon
...
<html>
<h1>Welcome secret=a</h1>
...
@-17,7NoNameCon
...
<html>
<h1>Welcome secret=N</h1>
...
@-17,8oNameCon
...
8900 bytes 8899 bytes

49. • Correct character guess: 1 byte less
• Pad resource to one TCP window
• Reflecting URL parameters
• HTTP/2: using other resources
• Correct guess: one TCP window = one RTT
• vs. Incorrect guess: two TCP windows = multiple RTT
• Leak secrets byte by byte
HEIST
23

50. • Browser-based timing side-channel
• Estimate of size
• HEIST
• Exact size (after padding)
• After compression (=> leak secrets)
24
Response size Server processing time
• Timeless timing attacks
• HTTP/2
• Concurrency

51. Timeless
Timing
Attacks

52. • Typical timing attack
• Heavily affected by network jitter
• Can we do better?
26
const start = performance.now();
fetch('https://example.com/url').then((response) => {
const end = performance.now();
analyze(end - start);
});

53. fetch('https://example.com/url1');
fetch('https://example.com/url2');

54. • IF two requests arrive at the same time
• And are processed in parallel
• We know which one took longer to process
• By simply looking at the response order
TimelessTiming Attacks
28

55. • Major improvement in HTTP/2: concurrency
• We can execute multiple requests in parallel over a single connection
• TCP congestion windows also apply to the client
• Sending large request (or multiple): need to wait for ACK from server before
sending more than one TCP window
• While waiting for ACK, following requests are added to same TCP
packet
HTTP/2
29

56. example.com

57. example.com
POST /large

58. example.com
POST /large

59. example.com
POST /large

60. example.com
POST /large

61. example.com
POST /large

62. example.com
10 TCP packets
(= 1 TCP window)
POST /large

63. example.com
10 TCP packets
(= 1 TCP window)
POST /largeGET /url1

64. example.com
10 TCP packets
(= 1 TCP window)
POST /largeGET /url1

65. example.com
10 TCP packets
(= 1 TCP window)
POST /largeGET /url1
GET /url2

66. example.com
10 TCP packets
(= 1 TCP window)
POST /largeGET /url1
GET /url2

67. example.com
10 TCP packets
(= 1 TCP window)
ACK
POST /largeGET /url1
GET /url2

68. fetch('https://example.com/large', {
"method": "POST",
"body": largeString
});
let first;
fetch('https://example.com/url1').then(() => {
first = first || 'url1';
});
fetch('https://example.com/url2').then(() => {
first = first || 'url2';
});

69. • Can distinguish timing differences up to 100 times smaller
• In certain cases as small as 150ns
• Possible to exploit timing attacks that were previously not possible
to exploit
• Generic technique, CDNs can pose some limitations
TimelessTiming Attacks
32

70. • Many relatively new security features that aim to “fix” the Web
• CORB, CORP, COEP, COOP, SameSite cookies, SecFetch-*
• Aim to limit “bad” functionality that has been pestering the Web
• Cookies should not be included in cross-site requests
• It should not be possible to “play with” cross-site responses
• Attacker shouldn’t be able to endlessly interfere with cross-origin windows
• …
• Most effective when enabled by default
• Finding balance between breaking functionality and guaranteeing security
Defenses
33

71. • Browsers leak metadata about cross-origin resources
• Can be used to extract sensitive content from users
• In this presentation:
• Leaking the size: estimate/exact
• Leaking server processing time: 100x more accurate
• Independent of network conditions
• Defenses aim to remove the bad legacy features from the Web
• Intervention from websites still required
Conclusion
34

72. Questions?
@tomvangoethem
tom.vangoethem@cs.kuleuven.be