TLDR: Cross-Site Leaks (XS-Leaks) describe a client-side bug that allows an attacker to collect side-channel information from a cross-origin HTTP resource.
In our paper, we contribute to the ongoing XS-Leak research by presenting the first formal model for XS-Leaks. Our comprehensive analysis of known XS-Leaks reveals that all of them fit into this new model. With the help of this formal approach, we (1) systematically searched for new XS-Leak attack classes, (2) implemented XSinator.com, a tool to automatically evaluate if a given web browser is vulnerable to XS-Leaks, and (3) systematically evaluated mitigations for XS-Leaks. We found 14 new attack classes, evaluated the resilience of 56 different browser/OS combinations against a total of 34 XS-Leaks, and propose a methodology to mitigate XS-Leaks.
When interacting with a website, a user has a well-defined state
– this state typically contains the information whether the user is
logged in or not. Besides the login status, the user state may contain
account permissions, such as admin privileges, premium membership,
or restricted accounts. The number of different user states
is potentially unlimited. For example, in a webmail application, a
user may or may not have received an email with the subject
The victim (1) visits the attacker-controlled website, which (2) uses an inclusion method to request a state-dependent resource from a target website. The attacker then uses (3) a leak technique to (4) determine the victim’s user state.