Cyber Security and Computer Forensics

ISN2003: Network Security and Penetration Testing

ASSIGNMENT 2: (20%)
XS-Leak Browser Test Suite

Submitted to:
Mr. Altay Zeynalov

Date: July 22, 2024

Submitted by:

Ashir Waheed (C0927164)

Aldrin Macias (C0922609)
Oliver Fajardo (C0916928)
Viviana Yenny Garcia Parra (C0922721)
Oscar A. Caselles Alvarez (C0929747)
 Analysis Report

Executive Summary
This report addresses security vulnerabilities known as Cross-Site Leaks (XS-Leaks),
which are present in many internet browsers. The importance and impact of these
vulnerabilities lie in their potential to disclose sensitive personal information, representing
a significant information security concern. By evaluating the most common web browsers,
we aim to determine which ones may be considered safer for deployment in our corporate
environment.

Introduction
Thanks to security researchers, multiple Cross-Site Leaks vulnerabilities have been
identified in many popular web browsers. Furthermore, the availability of free, open
testing tools like xsinator.com allows us to conduct our own benchmarking to determine
which browser might be safer to use. This provides an advantage in improving our security
posture against malicious websites.
For this report, we will conduct tests on the following browsers to evaluate their rankings
according to xsinator.com
Browsers to be evaluated:
• Microsoft Edge
• Brave
• Mozilla Firefox

Test Execution on Browsers

• Scope: Execute the automated live script available on the xsinator.com website.
Upon completion, compile the results for a comprehensive view and analyze the
gathered data to draw conclusions.

• Expected Outcome: Establish which browser offers the highest level of security
against XS-Leak vulnerabilities.
1. Microsoft Edge

Version: 126.0.2592.113 (Official build)

Architecture: 64-bit

Image 1. Microsoft Edge Browser

2. Brave

Version: 1.67.134 Chromium: 126.0.6478.186 (Official Build)

Architecture: 64-bit

Image 2. Brave Browser

 3. Firefox

Version: 128.0
Architecture: 64-bit

Image 3. Mozilla Firefox Browser

Browser Analysis according to Xsinator.com Tool

Based on the performance of each browser, data was organized into a spreadsheet with
the aim of determining the safest browser to implement within a network.
Here is an example of how the information was tabulated:
# XS-Leak Description Browser Results
1 Event Handler Leak (Object) Detect errors with onload/onerror with object. Microsoft Edge X
2 Event Handler Leak (Stylesheet) Detect errors with onload/onerror with stylesheet. Microsoft Edge X
3 Event Handler Leak (Script) Detect errors with onload/onerror with script. Microsoft Edge X
6 Request Merging Error Leak Detect errors with request merging. Microsoft Edge X
11 URL Max Length Leak Detect server redirect by abusing URL max length. Microsoft Edge X
12 Max Redirect Leak Detect server redirect by abusing max redirect limit. Microsoft Edge X
13 History Length Leak Detect javascript redirects with History API. Microsoft Edge X
15 CSP Redirect Detection Detect cross-origin redirects with CSP violation event. Microsoft Edge X
19 Frame Count Leak Detect the number of iframes on a page. Microsoft Edge X
20 Media Dimensions Leak Leak dimensions of images or videos. Microsoft Edge X
21 Media Duration Leak Leak duration of audio or videos. Microsoft Edge X
26 Id Attribute Leak Leak id attribute of focusable HTML elements with onblur. Microsoft Edge X
27 CSS Property Leak Leak CSS rules with getComputedStyle. Microsoft Edge X
29 ContentDocument X-Frame Leak Detect X-Frame-Options with ContentDocument. Microsoft Edge X
32 CORP Leak Detect Cross-Origin-Resource-Policy header with fetch. Microsoft Edge X
33 CORB Leak Detect X-Content-Type-Options in combination with specific content type using CORB. Microsoft Edge X
34 Download Detection Detect downloads (Content-Disposition header). Microsoft Edge X
35 Performance API Download DetectionDetect downloads (Content-Disposition header) with Performance API. Microsoft Edge X
1 Event Handler Leak (Object) Detect errors with onload/onerror with object. Brave X
2 Event Handler Leak (Stylesheet) Detect errors with onload/onerror with stylesheet. Brave X
3 Event Handler Leak (Script) Detect errors with onload/onerror with script. Brave X
6 Request Merging Error Leak Detect errors with request merging. Brave X
11 URL Max Length Leak Detect server redirect by abusing URL max length. Brave X
12 Max Redirect Leak Detect server redirect by abusing max redirect limit. Brave X
13 History Length Leak Detect javascript redirects with History API. Brave X
15 CSP Redirect Detection Detect cross-origin redirects with CSP violation event. Brave X

Image 4. Example of Xsinator.com result tabulation

On a per-browser basis, the performances are quite similar across all browsers, with a
noticeable deviation in the case of the Firefox browser as display on the graph below:

Image 5. XS-Leaks results per browsers

While reviewing the results of the tests, we found out that each browser got a timeout on
a given test, therefore suggesting a poor management of a XS-Leak vulnerability for the
browser, hence upon taking this into account, we could conclude that the browser with
least vulnerabilities and timeouts would signal for the most robust against XS-Leak
vulnerabilities as viewed in the graph below.

Image 6. Final result of browser test

Our conclusion would be to recommend the user of Mozilla Firefox as it provided the best
handling of the XS-Leak test.
Technical Details of XS-Leak Vulnerabilities
XS-Leak Vulnerability
ContentDocument X-Frame Leak
COOP Leak
CORB Leak
CORP Leak
CSP Directive Leak
CSP Redirect Detection
CSS Property Leak
Download Detection
Event Handler Leak (Object)
Event Handler Leak (Script)
Event Handler Leak (Stylesheet)
Frame Count Leak
History Length Leak
Id Attribute Leak
Max Redirect Leak
Media Dimensions Leak
Media Duration Leak
Performance API Download Detection
Request Merging Error Leak
URL Max Length Leak
WebSocket Leak (FF)

Image 7. Vulnerabilities on all three browsers

1. ContentDocument X-Frame Leak

• Explanation: This leak occurs when a webpage embedded in an iframe
reveals information about its content.

• Example: A malicious site could embed another site in an iframe and detect if
certain sensitive information is displayed based on changes in the iframe’s size
or properties.

2. COOP Leak (Cross-Origin Opener Policy)

• Explanation: COOP is a security feature that isolates browsing contexts. A
leak happens when this isolation fails.

• Example: A malicious actor could open a sensitive page in a new tab and
attempt to interact with it despite the isolation, potentially gaining access to
restricted data.

3. CORB Leak (Cross-Origin Read Blocking)

• Explanation: CORB is designed to block cross-origin reads of sensitive data.
A leak occurs if this protection is bypassed.

• Example: An attacker could try to read confidential information from another

site by tricking the browser into loading a resource and then extracting data
from it.
4. CORP Leak (Cross-Origin Resource Policy)
• Explanation: CORP restricts how resources are shared across different
origins. A leak indicates a failure in enforcing these restrictions.

• Example: An attacker could bypass CORP to steal data by embedding a

resource (like an image or script) from another site and accessing its content.

5. CSP Directive Leak (Content Security Policy)

• Explanation: CSP helps prevent XSS attacks by controlling resources the
browser can load. A leak occurs if CSP is not enforced correctly.

• Example: A hacker might exploit a weak CSP to inject malicious scripts into a
webpage, stealing user data or taking control of their account.

6. CSP Redirect Detection

• Explanation: This vulnerability involves detecting redirections caused by CSP
rules.

• Example: An attacker could use redirection patterns to infer sensitive

information about the URLs a user visits or resources they request.

7. CSS Property Leak

• Explanation: CSS can be manipulated to reveal information about elements
on a page.

• Example: A malicious site could use CSS to determine if certain words or

phrases are present on another site by loading it in an iframe and checking for
specific style changes.

8. Download Detection
• Explanation: Detecting when a user initiates a download can reveal
information about their actions or interests.

• Example: An attacker could monitor if a user starts downloading a specific

document from a private website and use this information for targeted phishing.

9. Event Handler Leak (Object)

• Explanation: Leaks occur when event handlers on objects (like DOM
elements) reveal information.
 • Example: A malicious site could detect user interactions (e.g., clicks) on
sensitive areas of another site, such as buttons or links, embedded in an iframe.

10. Event Handler Leak (Script)

• Explanation: Like object leaks, but specific to script events.

• Example: A hacker could use a script to monitor keyboard inputs on an iframe

containing a login form, capturing the user’s credentials.

11. Event Handler Leak (Stylesheet)

• Explanation: Event handlers on stylesheets can leak information about the
applied styles.

• Example: An attacker could determine if certain CSS rules are applied to an

element, inferring if specific text or images are present.

12. Frame Count Leak

• Explanation: Leaking the number of iframes on a page can reveal the page’s
structure.
• Example: A malicious site could count iframes to detect if a user is viewing a
banking site with embedded ads, targeting them with phishing attacks.

13. History Length Leak

• Explanation: This leak reveals the length of a user’s browsing history.

• Example: An attacker could infer how many sites a user has visited and use
this to tailor social engineering attacks.

14. Id Attribute Leak

• Explanation: Leaking the id attribute of elements can reveal specific details
about the page’s content.

• Example: A hacker could access elements by id to determine if a user is

viewing certain products or pages, using this for targeted ads.

15. Max Redirect Leak

• Explanation: This leak occurs when the maximum number of redirections is
used to infer information.

• Example: An attacker could use redirection chains to detect if a user is

redirected to a specific internal page, indicating interest or activity.
16. Media Dimensions Leak
• Explanation: Leaking the dimensions of media elements can reveal what type
of content is being viewed.

• Example: A malicious site could infer that a user is watching a specific video
based on its dimensions.

17. Media Duration Leak

• Explanation: Leaking the duration of media can indicate the content being
consumed.

• Example: An attacker could determine what video or audio a user is listening

to by measuring its length.

18. Performance API Download Detection

• Explanation: Using the Performance API to detect when a user initiates a
download.

• Example: An attacker could monitor network performance to see when a

download starts, potentially revealing sensitive documents being accessed.

19. Request Merging Error Leak

• Explanation: Combining requests can inadvertently expose data.

• Example: A hacker could merge multiple requests to infer information from

timing differences or errors.

20. URL Max Length Leak

• Explanation: Long URLs can reveal sensitive data included in query
parameters.

• Example: An attacker could extract information from a long URL, such as

session tokens or search queries.

21. WebSocket Leak (FF)

• Explanation: Leaks through WebSocket connections can expose real-time
data.

• Example: A malicious actor could exploit a WebSocket leak to intercept data

being sent in real-time between the user and a server, such as chat messages.
Conclusions and Recommendations
Based on the performance of the individual browsers, Mozilla Firefox was found with the
least vulnerabilities and timeouts, meaning that its performance is more stable at handling
XS-Leak attacks.
On a side note, and perhaps as complementary observation, we find that the open-source
nature of the Mozilla Firefox browser provides an additional layer of security as it provides
an independent and broader supervision of its security features in general.
Understanding that security is a layered approach, our recommendations would be to
keep browser updated and periodically run similar tests, and additional force withing the
browser security policies to a strict setting.
References

XSinator - XS-Leak Browser Test Suite. (2024). Xsinator.com. https://xsinator.com/

Knittel, L., Mainka, C., Niemietz, M., Dominik Trevor Noß, & Schwenk, J. (2021).

XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site

Leaks in Web Browsers. Computer and Communications Security.

https://doi.org/10.1145/3460120.3484739

XS Leaks - OWASP Cheat Sheet Series. (2024). Owasp.org.

https://cheatsheetseries.owasp.org/cheatsheets/XS_Leaks_Cheat_Sheet.html

Opt-In Mechanisms. (2020). XS-Leaks Wiki. https://xsleaks.dev/docs/defenses/opt-in/

How to set browser security options - Search Videos. (2024). Bing.com.

https://www.bing.com/videos/search?q=how+to+set+browser+security+options&vi

ew=detail&mid=BDBB4FF86E6C935FD2FCBDBB4FF86E6C935FD2FC&FORM=
VIRE&PC=LCTS
Proof Page