https://cfp.nonamecon.org/nnc2020/talk/9LMJAH/
For many years, injection-based vulnerabilities such as XSS and SQL-injection have dominated the web security landscape. However, as browsers and applications are becoming increasingly complex, new vulnerability classes surface. One of these new-kids-on-the-block is XSLeaks, a vulnerability class that exploit side-channel leaks in the browser to extract information across origins. In this presentation, I will describe the various types of leaks in different browser features and the network layer, and discuss how these issues can be exploited to extract sensitive information from an unwitting victim. Furthermore, the talk will cover the numerous (new) defences that need to be adopted in order to safeguard web applications (SameSite cookies, COOP, COEP, ...), and their potential shortcomings. Finally, we will take a peak into the future, and discuss how XSLeaks will likely evolve in the coming months and years.
7. ⢠Leak security information
⢠CSRF token (may lead to full account compromise)
⢠Determine the userâs identity
⢠Spear phishing
⢠User proďŹling
⢠Perform search queries under the victimâs credentials
⢠Leak secrets that only the victim has access to
⢠Extract privacy-sensitive content
⢠Which websites is the user logged in to?
An attacker may try toâŚ
5
8. ⢠Same-origin policy prevents site-A from accessing contents of site-B
⢠XSLeaks abuse side-channel information to leak metadata information
⢠Response timing
⢠Firing of events (order & time)
⢠Size of response
⢠âŚ
⢠Metadata is dependent on the state of the user
⢠Search query has results â large response
⢠No results â small response
XSLeaks
6
9. ⢠Response status
⢠Redirect (30x), 404, âŚ
⢠Cache status
⢠Cached resources load much faster
⢠Rendered content & operations
⢠frames.length
⢠postMessage()
⢠âŚ
7
Categories of XSLeaks
10. ⢠Browser-based timing side-channels
⢠HEIST
Response size Server processing time
⢠Timeless timing attacks
In this presentationâŚ
22. ⢠Measures time download resource
⢠Accuracy depends on Internet connection of the victim
⢠Not under control of the attacker
⢠Jitter may render attack ineffective
⢠Need attack that is not affected by network conditionsâŚ
11
const start = performance.now();
fetch('https://example.com/url').then((response) => {
const end = performance.now();
analyze(end - start);
});
23. ⢠Timing starts after resource has been downloaded
⢠Not affected by network condition
⢠Time to parse resource as video depends on its size
⢠Has been mitigated
⢠Error is thrown before response is parsed
⢠Chrome: CORB - Firefox: MIME-type checking
12
const video = document.createElement('video');
let start;
video.addEventListener('suspend', () => {
start = performance.now();
});
video.addEventListener('error', () => {
const end = performance.now();
analyze(end - start);
});
video.src = 'https://example.com/url';
24. ⢠Timing starts after resource has been downloaded
⢠Not affected by network condition
⢠Time to add/remove resource from cache is related to size
⢠Mitigated in Chrome: CORB
⢠Still possible to abuse in Firefox
13
const cache = await caches.open('nnc');
const url = 'https://example.com/url';
const opts = {"credentials": "include", "mode": "no-cors"};
const resp = await fetch(url, opts);
const bogusReq = '/foo' + Math.random();
const start = performance.now();
await cache.put(bogusReq, resp.clone());
await cache.delete(bogusReq);
const end = performance.now();
analyze(end - start);
25. ⢠Operations performed on resources after they have been
downloaded
⢠Not affected by network conditions of victim
⢠Examples:
⢠Parsing resource in a speciďŹc format
⢠Persisting resource to disk
⢠Effective countermeasures: discard operations on cross-origin
resources before any operations
Browser-basedTiming Attacks
14
45. ⢠Response is <= 14480 bytes: everything ďŹts in single TCP window
⢠Response is > 14480 bytes: multiple TCP windows required
⢠Server needs to wait for ACK from client
⢠Additional round-trip
⢠Detect one or multiple round-trips? => leak information about size
TCP windows
19
46. const url = 'https://example.com/url';
fetch(url).then((response) => {
// first byte of response received
const firstByte = performance.now();
});
const entry = performance.getEntriesByName(url)[0];
// last byte of response received
const lastByte = entry.responseEnd;
if (lastByte - firstByte < 5) {
// 1 TCP window
} else {
// multiple TCP windows
}
49. ⢠Correct character guess: 1 byte less
⢠Pad resource to one TCP window
⢠ReďŹecting URL parameters
⢠HTTP/2: using other resources
⢠Correct guess: one TCP window = one RTT
⢠vs. Incorrect guess: two TCP windows = multiple RTT
⢠Leak secrets byte by byte
HEIST
23
50. ⢠Browser-based timing side-channel
⢠Estimate of size
⢠HEIST
⢠Exact size (after padding)
⢠After compression (=> leak secrets)
24
Response size Server processing time
⢠Timeless timing attacks
⢠HTTP/2
⢠Concurrency
54. ⢠IF two requests arrive at the same time
⢠And are processed in parallel
⢠We know which one took longer to process
⢠By simply looking at the response order
TimelessTiming Attacks
28
55. ⢠Major improvement in HTTP/2: concurrency
⢠We can execute multiple requests in parallel over a single connection
⢠TCP congestion windows also apply to the client
⢠Sending large request (or multiple): need to wait for ACK from server before
sending more than one TCP window
⢠While waiting for ACK, following requests are added to same TCP
packet
HTTP/2
29
69. ⢠Can distinguish timing differences up to 100 times smaller
⢠In certain cases as small as 150ns
⢠Possible to exploit timing attacks that were previously not possible
to exploit
⢠Generic technique, CDNs can pose some limitations
TimelessTiming Attacks
32
70. ⢠Many relatively new security features that aim to âďŹxâ the Web
⢠CORB, CORP, COEP, COOP, SameSite cookies, SecFetch-*
⢠Aim to limit âbadâ functionality that has been pestering the Web
⢠Cookies should not be included in cross-site requests
⢠It should not be possible to âplay withâ cross-site responses
⢠Attacker shouldnât be able to endlessly interfere with cross-origin windows
⢠âŚ
⢠Most effective when enabled by default
⢠Finding balance between breaking functionality and guaranteeing security
Defenses
33
71. ⢠Browsers leak metadata about cross-origin resources
⢠Can be used to extract sensitive content from users
⢠In this presentation:
⢠Leaking the size: estimate/exact
⢠Leaking server processing time: 100x more accurate
⢠Independent of network conditions
⢠Defenses aim to remove the bad legacy features from the Web
⢠Intervention from websites still required
Conclusion
34