TLDR: Cross-Site Leaks (XS-Leaks) describe a client-side bug that allows an attacker to collect side-channel information from a cross-origin HTTP resource.
XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers
In our paper, we contribute to the ongoing XS-Leak research by presenting the first formal model for XS-Leaks. Our comprehensive analysis of known XS-Leaks reveals that all of them fit into this new model. With the help of this formal approach, we (1) systematically searched for new XS-Leak attack classes, (2) implemented XSinator.com, a tool to automatically evaluate if a given web browser is vulnerable to XS-Leaks, and (3) systematically evaluated mitigations for XS-Leaks. We found 14 new attack classes, evaluated the resilience of 56 different browser/OS combinations against a total of 34 XS-Leaks, and propose a methodology to mitigate XS-Leaks.
When interacting with a website, a user has a well-defined state
– this state typically contains the information whether the user is
logged in or not. Besides the login status, the user state may contain
account permissions, such as admin privileges, premium membership,
or restricted accounts. The number of different user states
is potentially unlimited. For example, in a webmail application, a
user may or may not have received an email with the subject top
secret
.
Cross-Site Leaks on the User States. To distinguish between two user states, the attacker’s JavaScript code must be able to identify differences in its own execution environment resulting from different responses to cross-origin HTTP requests. These different responses must correspond to different user states at the target web application. If this differentiation is possible, we call this vulnerability an XS-Leak. The attacker can then craft a malicious website, which triggers the XS-Leak once the victim opens it (see image below). In the following two real-world examples, we try to exemplify the scope of the problem
The victim (1) visits the attacker-controlled website, which (2) uses an inclusion method to request a state-dependent resource from a target website. The attacker then uses (3) a leak technique to (4) determine the victim’s user state.