SlideShare uma empresa Scribd logo

Side-Channels on the Web: Attacks and Defenses

Tom Van Goethem
Tom Van Goethem

In this presentation we explore various side-channel attacks in the Web that can be used to leak information on cross-origin responses. These so-called XS-Leaks issues may allow an adversary to extract sensitive information from an unwitting visitor, ranging from personal information this victim shared with social media networks to CSRF tokens, which may lead to full account takeover. Finally, we discuss the various defenses that can be used to harden web applications against the different types of attacks.

Internet
1 de 45
Baixar para ler offline
Side-Channels on the Web: Attacks and Defenses Tom Van Goethem @tomvangoethem
https://cute-kittens.com
https://cute-kittens.com https://super-doggos.org
https://cute-kittens.com https://super-doggos.org https://evil-bunnies.net
https://cute-kittens.com https://super-doggos.org https://evil-bunnies.net BUNNIES ATTACK! ATTACK!!ATTACK!!
What can the bunnies (attackers) do?
7 Attacker model • Cross-origin attack (evil-bunnies.net vs. cute-kittens.com) • Subject to Same-Origin-Policy • Can't extract information directly • Attacker infers information based on state of victim at target site • Logged in or not? • Search query has results? • Launch cross-site requests; can't access response directly • Attack needs to exploit side-channel leaks
https://evil-bunnies.net https://cute-kittens.com (1) visit malicious site
https://evil-bunnies.net https://cute-kittens.com (1) visit malicious site (2) return malicious JS
https://evil-bunnies.net https://cute-kittens.com (1) visit malicious site (2) return malicious JS (3) probe affected resources
https://evil-bunnies.net https://cute-kittens.com (1) visit malicious site (2) return malicious JS (3) probe affected resources (4) return user-specific response
https://evil-bunnies.net https://cute-kittens.com (1) visit malicious site (2) return malicious JS (3) probe affected resources (4) return user-specific response (5) use side-channel to infer information about response
13 Response size may leak information about user state ~183kB
14 Response size may leak information about user state ~19kB ~183kB
15 Nethanel Gelernter and Amir Herzberg. "Cross-site search attacks." Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 2015.
16 Nethanel Gelernter and Amir Herzberg. "Cross-site search attacks." Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 2015.
17
18 XS-Leaks • Server generates response based on user's state • Attacker tries to differentiate between two responses • Examples • Logged in (=> large response) vs. not logged in (=> small response) • User has access to resource (=> 200) vs. no access (=> 404) • Was used to uniquely identify users by giving them access to attacker-controlled resources [1] • Search query has results (=> response with iframe) vs. no results (=> no iframe) [1] Cristian-Alexandru Staicu and Michael Pradel. " Leaky Images: Targeted Privacy Attacks in the Web". Proceedings of the 28th USENIX Security Symposium, 2019.
time https://cute-kittens.com state_0 state_n
time https://cute-kittens.com state_0 state_nstate_1 state_1: browser initiated connection to target site 1 fewer connection available in pool (e.g. 255 in Chrome) => infer whether endpoint includes resource to certain site
time https://cute-kittens.com state_0 state_nstate_1 state_2 state_1: browser initiated connection to target site state_2: headers of response are received 1 fewer connection available in pool (e.g. 255 in Chrome) => infer whether endpoint includes resource to certain site Promise returned by fetch() resolved => measure time to generate response + delay/jitter (Tstate_2 - Tstate_1)
time https://cute-kittens.com state_0 state_nstate_1 state_2 state_3 state_1: browser initiated connection to target site state_2: headers of response are received state_3: complete response body received 1 fewer connection available in pool (e.g. 255 in Chrome) => infer whether endpoint includes resource to certain site Promise returned by fetch() resolved => measure time to generate response + delay/jitter (Tstate_2 - Tstate_1) Time returned by Resource Timing API (performance.getEntries()) => measure time to download response (Tstate_3 - Tstate_2)
time https://cute-kittens.com state_0 state_nstate_1 state_2 state_3 state_1: browser initiated connection to target site state_2: headers of response are received state_3: complete response body received state_4 state_4: browser cached response 1 fewer connection available in pool (e.g. 255 in Chrome) => infer whether endpoint includes resource to certain site Promise returned by fetch() resolved => measure time to generate response + delay/jitter (Tstate_2 - Tstate_1) Time returned by Resource Timing API (performance.getEntries()) => measure time to download response (Tstate_3 - Tstate_2) Resource added to HTTP cache; can be requested w/o connection => infer which resources were cached
24 HEIST HTTP Encrypted Information can be Stolen through TCP Windows
25 HEIST • Determine exact response size (compressed) • 1 TCP window = 10 TCP packets = 14480 bytes of data • 2nd TCP window can only start after ACK (→ additional round-trip needed) • Response fits in 1 TCP window → 1 RTT, otherwise 2+ RTTs • Use side-channel to detect when first byte is received fetch() promise resolves • Use side-channel to detect when full response is received Resource Timing API • Timing difference < 5ms? Then 1 TCP window, otherwise 2 TCP windows 12
Response (14480 bytes)
1st TCP window
1st TCP window fetch() resolves PerformanceEntry Timing difference
Response (14481 bytes)
1st TCP window ACK … 2nd TCP window
1st TCP window ACK … 2nd TCP window fetch() resolves Timing difference (much bigger) PerformanceEntry
32 • Important prerequisite: reflection of request in response Needed to align on TCP window size • Needs some “window-tuning” for larger responses • Exact size is known after compression Allows for BREACH-like attack Extract secret information such as CSRF token • More information: see whitepaper https://tom.vg/papers/heist_blackhat2016.pdf HEIST
time https://messenger.com/t/<fb_id> state_0 state_n state_1 state_2 state_3 state_1: browser parsed response HTML win.frames.length == 3 state_2: JavaScript replaces iframe ONLY IF user has had contact with <facebook_id> win.frames.length == 2 state_3: iframe has been replaced win.frames.length == 3 const win = window.opener; win.location = `https://messenger.com/t/${facebookID}`; Credits: Ron Masas - http://ronmasas.com/posts/facebook-messenger-vulnerability/
34 Browser state changes • As soon as a resource is requested, the browser will transition between different “states” • These state changes can be permanent or temporary • Permanent: frame is added to included web page • Temporary: load event is fired • Time and order when state changes occur can be important
35 Detecting browser state changes • Two different responses can result in two different state change patterns • Strict requirement for performing practical XS-Leak attack • Attacker includes target endpoint as a resource • E.g. iframe (if no X-Frame-Options + needs rendering) • E.g. window.open (in case of XFO + needs rendering) • E.g. <img>.src (in case no rendering required) • Attacker observes properties/events/… associated with the included resource • E.g. frames.length • May need more advanced resource operations • E.g. first load resource X, then load resource Y
38 XS-Leaks overview • Response size • Timing network connections • Browser-based timing attack (<video>, Cache API, AppCache) • Storage API (fixed , reintroduced for small disk devices, fixed again) • HEIST (TCP level) • Response status • Application Cache (error when resource redirects) • history.length (+1 in case resource redirected) • Resource Timing (difference between start and fetchStart property) • CSP (policy set by attacker, violation in case of redirect to other domain)
39 XS-Leaks overview (2) • Cache status • AppCache (Cache-control: no-store resources cause error) • Timing (cached resources load much faster) • Resource content and operations • frames.length (for iframe or new opened window) • postMessage() to parent page (may contain sensitive content) • Event loop (spy on pattern of other processes) • Navigate to id (triggers blur event on attacker page) • More techniques likely to be discovered • Check out https://github.com/xsleaks/xsleaks/
40 Defenses
41 XS-Leaks defenses • Two main approaches 1. Prevent differences in responses 2. Prevent attacker from observing state-changes • Often a combination of both approaches • (1) is purely a server-side effort • (2) is often controlled by response headers that instruct browser • Using SameSite cookies can be very effective • Defends against all attacks except for those based on window.open
42 XS-Leaks defenses • Different attack techniques may require different defenses • iframe attacks: set X-Frame-Options or CSP's frame-ancestors • Some defenses are built-in by default • Cross-Origin Read Blocking (CORB) – prevents potentially sensitive response (HTML, JSON, XML) to be in the same renderer as the including document Was originally implemented as a defense against Spectre • Soon: SameSite cookies • Soon: cache partitioning – entries in HTTP cache are bound to top document location (prevents attacker from detecting if a certain resource was cached)
43 XS-Leaks defenses • Browser may give information on the nature of the request • Sec-Fetch Metadata: detect illegimate requests • Block such requests or return other content • Certain mechanisms require opt-in from the server • Cross-Origin Opener Policy (COOP) – drops reference to opened window, so attacks using window.open no longer work • Cross-Origin Resource Policy (CORP) – same-site | same-origin | cross- site; similar to CORB: block no-cors cross-origin/cross-site requests Sec-Fetch-Dest: image Sec-Fetch-Mode: no-cors Sec-Fetch-Site: cross-site
44 XS-Leaks defenses overviews • What can I do (as a web developer)? • Use SameSite attribute on cookies • Prevent framing (X-Frame-Options/CSP frame-ancestors) • Send Cross-Origin-Opener-Policy: same-origin (should be adopted by several browsers soon) • What can I do (as a user)? • Avoid the evil bunnies? • Separate contexts (e.g. incognito; containers extension in Firefox)
45 Conclusion
46 Conclusion • Responses often depend on the state of the user • XS-Leaks can be used to extract side-channel information on response • Can be used to differentiate two responses • Leaks information on the state of the user (# search results, identity, …) • When browser loads a resource, it undergoes a series of state changes • Pattern of state changes leaks the information • Defenses: SameSite cookies, XFO, new mechanisms coming soon
Questions? @tomvangoethem

Recomendados

Http requesting smuggling
Http requesting smugglingHttp requesting smuggling
Http requesting smugglingApijay Kumar
 
ZN27112015
ZN27112015ZN27112015
ZN27112015Denis Kolegov
 
2016 JavaOne Deconstructing REST Security
2016 JavaOne Deconstructing REST Security2016 JavaOne Deconstructing REST Security
2016 JavaOne Deconstructing REST SecurityDavid Blevins
 
2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_securityDavid Blevins
 
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
2017 Devoxx MA Deconstructing and Evolving REST Security
2017 Devoxx MA Deconstructing and Evolving REST Security2017 Devoxx MA Deconstructing and Evolving REST Security
2017 Devoxx MA Deconstructing and Evolving REST SecurityDavid Blevins
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer AttacksArun Modi
 

Recomendados

Http requesting smuggling
Http requesting smugglingHttp requesting smuggling
Http requesting smugglingApijay Kumar
 
ZN27112015
ZN27112015ZN27112015
ZN27112015Denis Kolegov
 
2016 JavaOne Deconstructing REST Security
2016 JavaOne Deconstructing REST Security2016 JavaOne Deconstructing REST Security
2016 JavaOne Deconstructing REST SecurityDavid Blevins
 
2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_security2017 dev nexus_deconstructing_rest_security
2017 dev nexus_deconstructing_rest_securityDavid Blevins
 
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
2017 Devoxx MA Deconstructing and Evolving REST Security
2017 Devoxx MA Deconstructing and Evolving REST Security2017 Devoxx MA Deconstructing and Evolving REST Security
2017 Devoxx MA Deconstructing and Evolving REST SecurityDavid Blevins
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer AttacksArun Modi
 
Cache poisoning
Cache poisoningCache poisoning
Cache poisoningAlexandraLacatus
 
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopFlaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopAndrew Morris
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...Felipe Prado
 
DNS over HTTPS
DNS over HTTPSDNS over HTTPS
DNS over HTTPSDaniel Stenberg
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Apache httpd 2.4 Reverse Proxy
Apache httpd 2.4 Reverse ProxyApache httpd 2.4 Reverse Proxy
Apache httpd 2.4 Reverse ProxyJim Jagielski
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
2017 JavaOne Deconstructing and Evolving REST Security
2017 JavaOne Deconstructing and Evolving REST Security2017 JavaOne Deconstructing and Evolving REST Security
2017 JavaOne Deconstructing and Evolving REST SecurityDavid Blevins
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
Http response splitting
Http response splittingHttp response splitting
Http response splittingSharath Unni
 
Covert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersCovert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersDenis Kolegov
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache PoisoningKuldeepPandya5
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
Null HYD VRTDOS
Null HYD VRTDOSNull HYD VRTDOS
Null HYD VRTDOSRaghunath G
 
Death of Web App Firewall
Death of Web App FirewallDeath of Web App Firewall
Death of Web App FirewallBrian A. McHenry
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15Brian A. McHenry
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...NoNameCon
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and DefensesOWASP
 

Mais conteúdo relacionado

Mais procurados

Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopFlaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopAndrew Morris
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...Felipe Prado
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Apache httpd 2.4 Reverse Proxy
Apache httpd 2.4 Reverse ProxyApache httpd 2.4 Reverse Proxy
Apache httpd 2.4 Reverse ProxyJim Jagielski
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
2017 JavaOne Deconstructing and Evolving REST Security
2017 JavaOne Deconstructing and Evolving REST Security2017 JavaOne Deconstructing and Evolving REST Security
2017 JavaOne Deconstructing and Evolving REST SecurityDavid Blevins
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
Http response splitting
Http response splittingHttp response splitting
Http response splittingSharath Unni
 
Covert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersCovert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersDenis Kolegov
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 

Mais procurados (20)

Cache poisoning
Cache poisoningCache poisoning
Cache poisoning
 
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopFlaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
 
DNS over HTTPS
DNS over HTTPSDNS over HTTPS
DNS over HTTPS
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Apache httpd 2.4 Reverse Proxy
Apache httpd 2.4 Reverse ProxyApache httpd 2.4 Reverse Proxy
Apache httpd 2.4 Reverse Proxy
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 
2017 JavaOne Deconstructing and Evolving REST Security
2017 JavaOne Deconstructing and Evolving REST Security2017 JavaOne Deconstructing and Evolving REST Security
2017 JavaOne Deconstructing and Evolving REST Security
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
 
Http response splitting
Http response splittingHttp response splitting
Http response splitting
 
Covert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersCovert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache Headers
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache Poisoning
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
Null HYD VRTDOS
Null HYD VRTDOSNull HYD VRTDOS
Null HYD VRTDOS
 
Death of Web App Firewall
Death of Web App FirewallDeath of Web App Firewall
Death of Web App Firewall
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15
 

Semelhante a Side-Channels on the Web: Attacks and Defenses

Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...NoNameCon
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and DefensesOWASP
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyKrishna T
 
Openstack meetup lyon_2017-09-28
Openstack meetup lyon_2017-09-28Openstack meetup lyon_2017-09-28
Openstack meetup lyon_2017-09-28Xavier Lucas
 
Http requesting smuggling
Http requesting smugglingHttp requesting smuggling
Http requesting smugglingApijay Kumar
 
HTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implicationsHTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implicationsPriyanka Aash
 
Websocket vs SSE - Paris.js - 24/06/15
Websocket vs SSE - Paris.js - 24/06/15Websocket vs SSE - Paris.js - 24/06/15
Websocket vs SSE - Paris.js - 24/06/15streamdata.io
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"Fwdays
 
Cdn technology overview
Cdn technology overviewCdn technology overview
Cdn technology overviewYoohyun Kim
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesLogan Best
 
Introduction to Ethereum
Introduction to EthereumIntroduction to Ethereum
Introduction to EthereumArnold Pham
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Krzysztof Kotowicz
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesSagi Brody
 

Semelhante a Side-Channels on the Web: Attacks and Defenses (20)

Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
 
Openstack meetup lyon_2017-09-28
Openstack meetup lyon_2017-09-28Openstack meetup lyon_2017-09-28
Openstack meetup lyon_2017-09-28
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
Http requesting smuggling
Http requesting smugglingHttp requesting smuggling
Http requesting smuggling
 
HTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implicationsHTTP cookie hijacking in the wild: security and privacy implications
HTTP cookie hijacking in the wild: security and privacy implications
 
Websocket vs SSE - Paris.js - 24/06/15
Websocket vs SSE - Paris.js - 24/06/15Websocket vs SSE - Paris.js - 24/06/15
Websocket vs SSE - Paris.js - 24/06/15
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
526_topic08.ppt
526_topic08.ppt526_topic08.ppt
526_topic08.ppt
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
Helen Tabunshchyk "Handling large amounts of traffic on the Edge"
 
Cdn technology overview
Cdn technology overviewCdn technology overview
Cdn technology overview
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 
Http2 in practice
Http2 in practiceHttp2 in practice
Http2 in practice
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
Introduction to Ethereum
Introduction to EthereumIntroduction to Ethereum
Introduction to Ethereum
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 

Último

Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptxAsmae Rabhi
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxgalaxypingy
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 

Último (20)

Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 

Side-Channels on the Web: Attacks and Defenses

  • 1. Side-Channels on the Web: Attacks and Defenses Tom Van Goethem @tomvangoethem
  • 6. What can the bunnies (attackers) do?
  • 7. 7 Attacker model • Cross-origin attack (evil-bunnies.net vs. cute-kittens.com) • Subject to Same-Origin-Policy • Can't extract information directly • Attacker infers information based on state of victim at target site • Logged in or not? • Search query has results? • Launch cross-site requests; can't access response directly • Attack needs to exploit side-channel leaks
  • 10. https://evil-bunnies.net https://cute-kittens.com (1) visit malicious site (2) return malicious JS (3) probe affected resources
  • 11. https://evil-bunnies.net https://cute-kittens.com (1) visit malicious site (2) return malicious JS (3) probe affected resources (4) return user-specific response
  • 12. https://evil-bunnies.net https://cute-kittens.com (1) visit malicious site (2) return malicious JS (3) probe affected resources (4) return user-specific response (5) use side-channel to infer information about response
  • 13. 13 Response size may leak information about user state ~183kB
  • 14. 14 Response size may leak information about user state ~19kB ~183kB
  • 15. 15 Nethanel Gelernter and Amir Herzberg. "Cross-site search attacks." Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 2015.
  • 16. 16 Nethanel Gelernter and Amir Herzberg. "Cross-site search attacks." Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 2015.
  • 17. 17
  • 18. 18 XS-Leaks • Server generates response based on user's state • Attacker tries to differentiate between two responses • Examples • Logged in (=> large response) vs. not logged in (=> small response) • User has access to resource (=> 200) vs. no access (=> 404) • Was used to uniquely identify users by giving them access to attacker-controlled resources [1] • Search query has results (=> response with iframe) vs. no results (=> no iframe) [1] Cristian-Alexandru Staicu and Michael Pradel. " Leaky Images: Targeted Privacy Attacks in the Web". Proceedings of the 28th USENIX Security Symposium, 2019.
  • 20. time https://cute-kittens.com state_0 state_nstate_1 state_1: browser initiated connection to target site 1 fewer connection available in pool (e.g. 255 in Chrome) => infer whether endpoint includes resource to certain site
  • 21. time https://cute-kittens.com state_0 state_nstate_1 state_2 state_1: browser initiated connection to target site state_2: headers of response are received 1 fewer connection available in pool (e.g. 255 in Chrome) => infer whether endpoint includes resource to certain site Promise returned by fetch() resolved => measure time to generate response + delay/jitter (Tstate_2 - Tstate_1)
  • 22. time https://cute-kittens.com state_0 state_nstate_1 state_2 state_3 state_1: browser initiated connection to target site state_2: headers of response are received state_3: complete response body received 1 fewer connection available in pool (e.g. 255 in Chrome) => infer whether endpoint includes resource to certain site Promise returned by fetch() resolved => measure time to generate response + delay/jitter (Tstate_2 - Tstate_1) Time returned by Resource Timing API (performance.getEntries()) => measure time to download response (Tstate_3 - Tstate_2)
  • 23. time https://cute-kittens.com state_0 state_nstate_1 state_2 state_3 state_1: browser initiated connection to target site state_2: headers of response are received state_3: complete response body received state_4 state_4: browser cached response 1 fewer connection available in pool (e.g. 255 in Chrome) => infer whether endpoint includes resource to certain site Promise returned by fetch() resolved => measure time to generate response + delay/jitter (Tstate_2 - Tstate_1) Time returned by Resource Timing API (performance.getEntries()) => measure time to download response (Tstate_3 - Tstate_2) Resource added to HTTP cache; can be requested w/o connection => infer which resources were cached
  • 25. 25 HEIST • Determine exact response size (compressed) • 1 TCP window = 10 TCP packets = 14480 bytes of data • 2nd TCP window can only start after ACK (→ additional round-trip needed) • Response fits in 1 TCP window → 1 RTT, otherwise 2+ RTTs • Use side-channel to detect when first byte is received fetch() promise resolves • Use side-channel to detect when full response is received Resource Timing API • Timing difference < 5ms? Then 1 TCP window, otherwise 2 TCP windows 12
  • 28. 1st TCP window fetch() resolves PerformanceEntry Timing difference
  • 31. 1st TCP window ACK … 2nd TCP window fetch() resolves Timing difference (much bigger) PerformanceEntry
  • 32. 32 • Important prerequisite: reflection of request in response Needed to align on TCP window size • Needs some “window-tuning” for larger responses • Exact size is known after compression Allows for BREACH-like attack Extract secret information such as CSRF token • More information: see whitepaper https://tom.vg/papers/heist_blackhat2016.pdf HEIST
  • 33. time https://messenger.com/t/<fb_id> state_0 state_n state_1 state_2 state_3 state_1: browser parsed response HTML win.frames.length == 3 state_2: JavaScript replaces iframe ONLY IF user has had contact with <facebook_id> win.frames.length == 2 state_3: iframe has been replaced win.frames.length == 3 const win = window.opener; win.location = `https://messenger.com/t/${facebookID}`; Credits: Ron Masas - http://ronmasas.com/posts/facebook-messenger-vulnerability/
  • 34. 34 Browser state changes • As soon as a resource is requested, the browser will transition between different “states” • These state changes can be permanent or temporary • Permanent: frame is added to included web page • Temporary: load event is fired • Time and order when state changes occur can be important
  • 35. 35 Detecting browser state changes • Two different responses can result in two different state change patterns • Strict requirement for performing practical XS-Leak attack • Attacker includes target endpoint as a resource • E.g. iframe (if no X-Frame-Options + needs rendering) • E.g. window.open (in case of XFO + needs rendering) • E.g. <img>.src (in case no rendering required) • Attacker observes properties/events/… associated with the included resource • E.g. frames.length • May need more advanced resource operations • E.g. first load resource X, then load resource Y
  • 36. 38 XS-Leaks overview • Response size • Timing network connections • Browser-based timing attack (<video>, Cache API, AppCache) • Storage API (fixed , reintroduced for small disk devices, fixed again) • HEIST (TCP level) • Response status • Application Cache (error when resource redirects) • history.length (+1 in case resource redirected) • Resource Timing (difference between start and fetchStart property) • CSP (policy set by attacker, violation in case of redirect to other domain)
  • 37. 39 XS-Leaks overview (2) • Cache status • AppCache (Cache-control: no-store resources cause error) • Timing (cached resources load much faster) • Resource content and operations • frames.length (for iframe or new opened window) • postMessage() to parent page (may contain sensitive content) • Event loop (spy on pattern of other processes) • Navigate to id (triggers blur event on attacker page) • More techniques likely to be discovered • Check out https://github.com/xsleaks/xsleaks/
  • 39. 41 XS-Leaks defenses • Two main approaches 1. Prevent differences in responses 2. Prevent attacker from observing state-changes • Often a combination of both approaches • (1) is purely a server-side effort • (2) is often controlled by response headers that instruct browser • Using SameSite cookies can be very effective • Defends against all attacks except for those based on window.open
  • 40. 42 XS-Leaks defenses • Different attack techniques may require different defenses • iframe attacks: set X-Frame-Options or CSP's frame-ancestors • Some defenses are built-in by default • Cross-Origin Read Blocking (CORB) – prevents potentially sensitive response (HTML, JSON, XML) to be in the same renderer as the including document Was originally implemented as a defense against Spectre • Soon: SameSite cookies • Soon: cache partitioning – entries in HTTP cache are bound to top document location (prevents attacker from detecting if a certain resource was cached)
  • 41. 43 XS-Leaks defenses • Browser may give information on the nature of the request • Sec-Fetch Metadata: detect illegimate requests • Block such requests or return other content • Certain mechanisms require opt-in from the server • Cross-Origin Opener Policy (COOP) – drops reference to opened window, so attacks using window.open no longer work • Cross-Origin Resource Policy (CORP) – same-site | same-origin | cross- site; similar to CORB: block no-cors cross-origin/cross-site requests Sec-Fetch-Dest: image Sec-Fetch-Mode: no-cors Sec-Fetch-Site: cross-site
  • 42. 44 XS-Leaks defenses overviews • What can I do (as a web developer)? • Use SameSite attribute on cookies • Prevent framing (X-Frame-Options/CSP frame-ancestors) • Send Cross-Origin-Opener-Policy: same-origin (should be adopted by several browsers soon) • What can I do (as a user)? • Avoid the evil bunnies? • Separate contexts (e.g. incognito; containers extension in Firefox)
  • 44. 46 Conclusion • Responses often depend on the state of the user • XS-Leaks can be used to extract side-channel information on response • Can be used to differentiate two responses • Leaks information on the state of the user (# search results, identity, …) • When browser loads a resource, it undergoes a series of state changes • Pattern of state changes leaks the information • Defenses: SameSite cookies, XFO, new mechanisms coming soon