XS Leaks - OWASP Cheat Sheet Series Cross-site leaks Cheat Sheet Introduction ‘This article describes examples of attacks and defenses against cross-site leaks vulnerability (XS Leaks). Since this vulnerability is based on the core mechanism of modern web browsers, it's also called a browser side-channel attack. XS-Leaks attacks seek to exploit the fact of seemingly insignificant information that is exchanged in cross-site communications between sites. This information infers answers to the previously asked questions about the victim's user account. Please take a look at the examples provided below: + Is the user currently logged in? Is the user ID 13372 + Is the user an administrator? + Does the user have a person with a particular email address in their contact list? On the basis of such questions, the attacker might try to deduce the answers, depending on the application's context. In most cases, the answers will be in binary form (yes or no). The impact of this vulnerability depends strongly on the application's risk profile. Despite this, XS Leaks may pose a real threat to user privacy and anonymity. Attack vector ‘The victim meen Wists the ‘tothe site Inthe context ofthe victim's browser and fctve sessions in the application, the Ores Sttocker ter to infer a spect state the vicim to vista ste foaged in of net. whether they have @ thet ts contoled by the Porton named ter fend et cttacker Intps:itcheatshectseries.owasp.orgicheatsheetsXS_Leaks Cheat Sheet html ane9723122, 9:02AM XS Leaks - OWASP Cheat Sheet Series + The entire attack takes place on the victim's browser side - just like an XSS attack + In some cases, the victim must remain on the attacker's site longer for the attack to succeed. Same Origin Policy (SOP) Before describing attacks, i's good to understand one of the most critical security mechanisms in browsers - The Same-origin Policy. A few key aspects: + Two URLs are considered as same-origin if their protocol, port, and host are the same + Any origin can send a request to another source, but due to the Same-origin Policy, they will not be able to read the response directly + Same Origin Policy may be relaxed by Cross Origin Resource Sharing (CORS). Origin A Origin B Same origin? https: //exanple.com hetp://sub.example.com No-different hosts hetps://exanple.com hetps://exemple.com:443 Yes! Implicit port in Origin A ‘Although the SOP principle protects us from accessing information in cross-origin communication, XS-Leaks attacks based on residual datacan infer some information. SameSite Cookies ‘The SameStte attribute of a cookie tells the browser whether it shouldindude the cookie in the request from the other site. The SameSite attribute takes the following values: ‘* None -the cookie will be attached to a request from ancther site, but it must be sent over a ‘secure HTTPS channel + Lax -the cookie will be appended tothe request from ancther pageiif the request method is GET and the request is made to top-level navigetion (ie. the navigation changes the addressin the browser top bat) ‘© Strict -the cookie will never be sent from ancther site Itis worth mentioning here the attitude of Chromium based browsers in which cookies without ‘SameSite attribute set by default are treated as Lax. Intps:itcheatshectseries.owasp.orgicheatsheetsXS_Leaks Cheat Sheet html ane9723122, 9:02AM XS Leaks - OWASP Cheat Sheet Series Cookies with the appropriate SameSite attribute provide a strong defense against both XS Leaks and also CSRF attacks. How do we know that two sites are SameSite? eTLD https://example.com:443 eTLD+1 Inthe context of the SameSite attribute, we consider the site to be the combination of the TLD (top- level domain) and the domain name before it. For example: Fall URL Site (eTLD#1) https: //example .com:443/d example.com Why are we talking about eTLD#1 and nct just TLD+17 Its because of domains tke .9ithub-io or eu.org . Such parts are nat atomic enough to be compared well. For this reason, alist of effective’ TLDs (eTLDs) was created and can be found here. Sites that have the sameeTLD+1 are considered SameSte, examples: Origin A Origin B SameSite? https: //exanple.com http: //example.con Yes, schemes dorit matter https://evil net https: //exanple.con No differenteTLD+1 hetps://sub.example.co tts: //data.example.co Yes, subdomains dontt a ® matter For mote information about SamSite, see the excellent article Understanding "same-site’. Intps:itcheatshectseries.owasp.orgicheatsheetsXS_Leaks Cheat Sheet html az9723122, 9:02AM XS Leaks - OWASP Cheat Sheet Series Attacks using the element ID attribute Elements in the DOM can have an ID attribute that is unique within the dooument. For example button id="pro">Pro account The browser will automatically focus on an element with a given ID if we append a hash to the URL, 9, https://exanple..con#pro. What'smote JavaScript focus event gets fired The attacker may try to embed the application in the iframe with specific source on its own controlled page: ©©@ hpsottackercom