Deprecated: The each() function is deprecated. This message will be suppressed on further calls in /home/zhenxiangba/zhenxiangba.com/public_html/phproxy-improved-master/index.php on line 456
Side-Channels on the Web: Attacks and Defenses | PDF
[go: Go Back, main page]
Tom Van Goethem, profile picture
Uploaded byTom Van Goethem
PDF, PPTX2,422 views

Side-Channels on the Web: Attacks and Defenses

The document discusses web security threats known as 'xs-leaks', where attackers exploit side-channel information from websites to infer user states and differentiate responses based on logged statuses or access rights. It analyzes various attack models, including cross-origin attacks and the use of response sizes and timing to gather sensitive information. Suggested defenses include server-side adjustments and response header configurations to prevent attacker observation of state changes.

Embed presentation

Download as PDF, PPTX
Side-Channels on the Web: Attacks and Defenses Tom Van Goethem @tomvangoethem
https://cute-kittens.com
https://cute-kittens.com https://super-doggos.org
https://cute-kittens.com https://super-doggos.org https://evil-bunnies.net
https://cute-kittens.com https://super-doggos.org https://evil-bunnies.net BUNNIES ATTACK! ATTACK!!ATTACK!!
What can the bunnies (attackers) do?
7 Attacker model • Cross-origin attack (evil-bunnies.net vs. cute-kittens.com) • Subject to Same-Origin-Policy • Can't extract information directly • Attacker infers information based on state of victim at target site • Logged in or not? • Search query has results? • Launch cross-site requests; can't access response directly • Attack needs to exploit side-channel leaks
https://evil-bunnies.net https://cute-kittens.com (1) visit malicious site
https://evil-bunnies.net https://cute-kittens.com (1) visit malicious site (2) return malicious JS
https://evil-bunnies.net https://cute-kittens.com (1) visit malicious site (2) return malicious JS (3) probe affected resources
https://evil-bunnies.net https://cute-kittens.com (1) visit malicious site (2) return malicious JS (3) probe affected resources (4) return user-specific response
https://evil-bunnies.net https://cute-kittens.com (1) visit malicious site (2) return malicious JS (3) probe affected resources (4) return user-specific response (5) use side-channel to infer information about response
13 Response size may leak information about user state ~183kB
14 Response size may leak information about user state ~19kB ~183kB
15 Nethanel Gelernter and Amir Herzberg. "Cross-site search attacks." Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 2015.
16 Nethanel Gelernter and Amir Herzberg. "Cross-site search attacks." Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 2015.
17
18 XS-Leaks • Server generates response based on user's state • Attacker tries to differentiate between two responses • Examples • Logged in (=> large response) vs. not logged in (=> small response) • User has access to resource (=> 200) vs. no access (=> 404) • Was used to uniquely identify users by giving them access to attacker-controlled resources [1] • Search query has results (=> response with iframe) vs. no results (=> no iframe) [1] Cristian-Alexandru Staicu and Michael Pradel. " Leaky Images: Targeted Privacy Attacks in the Web". Proceedings of the 28th USENIX Security Symposium, 2019.
time https://cute-kittens.com state_0 state_n
time https://cute-kittens.com state_0 state_nstate_1 state_1: browser initiated connection to target site 1 fewer connection available in pool (e.g. 255 in Chrome) => infer whether endpoint includes resource to certain site
time https://cute-kittens.com state_0 state_nstate_1 state_2 state_1: browser initiated connection to target site state_2: headers of response are received 1 fewer connection available in pool (e.g. 255 in Chrome) => infer whether endpoint includes resource to certain site Promise returned by fetch() resolved => measure time to generate response + delay/jitter (Tstate_2 - Tstate_1)
time https://cute-kittens.com state_0 state_nstate_1 state_2 state_3 state_1: browser initiated connection to target site state_2: headers of response are received state_3: complete response body received 1 fewer connection available in pool (e.g. 255 in Chrome) => infer whether endpoint includes resource to certain site Promise returned by fetch() resolved => measure time to generate response + delay/jitter (Tstate_2 - Tstate_1) Time returned by Resource Timing API (performance.getEntries()) => measure time to download response (Tstate_3 - Tstate_2)
time https://cute-kittens.com state_0 state_nstate_1 state_2 state_3 state_1: browser initiated connection to target site state_2: headers of response are received state_3: complete response body received state_4 state_4: browser cached response 1 fewer connection available in pool (e.g. 255 in Chrome) => infer whether endpoint includes resource to certain site Promise returned by fetch() resolved => measure time to generate response + delay/jitter (Tstate_2 - Tstate_1) Time returned by Resource Timing API (performance.getEntries()) => measure time to download response (Tstate_3 - Tstate_2) Resource added to HTTP cache; can be requested w/o connection => infer which resources were cached
24 HEIST HTTP Encrypted Information can be Stolen through TCP Windows
25 HEIST • Determine exact response size (compressed) • 1 TCP window = 10 TCP packets = 14480 bytes of data • 2nd TCP window can only start after ACK (→ additional round-trip needed) • Response fits in 1 TCP window → 1 RTT, otherwise 2+ RTTs • Use side-channel to detect when first byte is received fetch() promise resolves • Use side-channel to detect when full response is received Resource Timing API • Timing difference < 5ms? Then 1 TCP window, otherwise 2 TCP windows 12
Response (14480 bytes)
1st TCP window
1st TCP window fetch() resolves PerformanceEntry Timing difference
Response (14481 bytes)
1st TCP window ACK … 2nd TCP window
1st TCP window ACK … 2nd TCP window fetch() resolves Timing difference (much bigger) PerformanceEntry
32 • Important prerequisite: reflection of request in response Needed to align on TCP window size • Needs some “window-tuning” for larger responses • Exact size is known after compression Allows for BREACH-like attack Extract secret information such as CSRF token • More information: see whitepaper https://tom.vg/papers/heist_blackhat2016.pdf HEIST
time https://messenger.com/t/<fb_id> state_0 state_n state_1 state_2 state_3 state_1: browser parsed response HTML win.frames.length == 3 state_2: JavaScript replaces iframe ONLY IF user has had contact with <facebook_id> win.frames.length == 2 state_3: iframe has been replaced win.frames.length == 3 const win = window.opener; win.location = `https://messenger.com/t/${facebookID}`; Credits: Ron Masas - http://ronmasas.com/posts/facebook-messenger-vulnerability/
34 Browser state changes • As soon as a resource is requested, the browser will transition between different “states” • These state changes can be permanent or temporary • Permanent: frame is added to included web page • Temporary: load event is fired • Time and order when state changes occur can be important
35 Detecting browser state changes • Two different responses can result in two different state change patterns • Strict requirement for performing practical XS-Leak attack • Attacker includes target endpoint as a resource • E.g. iframe (if no X-Frame-Options + needs rendering) • E.g. window.open (in case of XFO + needs rendering) • E.g. <img>.src (in case no rendering required) • Attacker observes properties/events/… associated with the included resource • E.g. frames.length • May need more advanced resource operations • E.g. first load resource X, then load resource Y
38 XS-Leaks overview • Response size • Timing network connections • Browser-based timing attack (<video>, Cache API, AppCache) • Storage API (fixed , reintroduced for small disk devices, fixed again) • HEIST (TCP level) • Response status • Application Cache (error when resource redirects) • history.length (+1 in case resource redirected) • Resource Timing (difference between start and fetchStart property) • CSP (policy set by attacker, violation in case of redirect to other domain)
39 XS-Leaks overview (2) • Cache status • AppCache (Cache-control: no-store resources cause error) • Timing (cached resources load much faster) • Resource content and operations • frames.length (for iframe or new opened window) • postMessage() to parent page (may contain sensitive content) • Event loop (spy on pattern of other processes) • Navigate to id (triggers blur event on attacker page) • More techniques likely to be discovered • Check out https://github.com/xsleaks/xsleaks/
40 Defenses
41 XS-Leaks defenses • Two main approaches 1. Prevent differences in responses 2. Prevent attacker from observing state-changes • Often a combination of both approaches • (1) is purely a server-side effort • (2) is often controlled by response headers that instruct browser • Using SameSite cookies can be very effective • Defends against all attacks except for those based on window.open
42 XS-Leaks defenses • Different attack techniques may require different defenses • iframe attacks: set X-Frame-Options or CSP's frame-ancestors • Some defenses are built-in by default • Cross-Origin Read Blocking (CORB) – prevents potentially sensitive response (HTML, JSON, XML) to be in the same renderer as the including document Was originally implemented as a defense against Spectre • Soon: SameSite cookies • Soon: cache partitioning – entries in HTTP cache are bound to top document location (prevents attacker from detecting if a certain resource was cached)
43 XS-Leaks defenses • Browser may give information on the nature of the request • Sec-Fetch Metadata: detect illegimate requests • Block such requests or return other content • Certain mechanisms require opt-in from the server • Cross-Origin Opener Policy (COOP) – drops reference to opened window, so attacks using window.open no longer work • Cross-Origin Resource Policy (CORP) – same-site | same-origin | cross- site; similar to CORB: block no-cors cross-origin/cross-site requests Sec-Fetch-Dest: image Sec-Fetch-Mode: no-cors Sec-Fetch-Site: cross-site
44 XS-Leaks defenses overviews • What can I do (as a web developer)? • Use SameSite attribute on cookies • Prevent framing (X-Frame-Options/CSP frame-ancestors) • Send Cross-Origin-Opener-Policy: same-origin (should be adopted by several browsers soon) • What can I do (as a user)? • Avoid the evil bunnies? • Separate contexts (e.g. incognito; containers extension in Firefox)
45 Conclusion
46 Conclusion • Responses often depend on the state of the user • XS-Leaks can be used to extract side-channel information on response • Can be used to differentiate two responses • Leaks information on the state of the user (# search results, identity, …) • When browser loads a resource, it undergoes a series of state changes • Pattern of state changes leaks the information • Defenses: SameSite cookies, XFO, new mechanisms coming soon
Questions? @tomvangoethem

More Related Content

PDF
Http requesting smuggling
byApijay Kumar
 
PPTX
Network And Application Layer Attacks
byArun Modi
 
PPTX
Shmoocon Epilogue 2013 - Ruining security models with SSH
byAndrew Morris
 
PDF
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
byCésar Hernández
 
PDF
2016 JavaOne Deconstructing REST Security
byDavid Blevins
 
PDF
ZN27112015
byDenis Kolegov
 
PDF
2017 Devoxx MA Deconstructing and Evolving REST Security
byDavid Blevins
 
PDF
2017 dev nexus_deconstructing_rest_security
byDavid Blevins
 
Http requesting smuggling
byApijay Kumar
 
Network And Application Layer Attacks
byArun Modi
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
byAndrew Morris
 
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest
byCésar Hernández
 
2016 JavaOne Deconstructing REST Security
byDavid Blevins
 
ZN27112015
byDenis Kolegov
 
2017 Devoxx MA Deconstructing and Evolving REST Security
byDavid Blevins
 
2017 dev nexus_deconstructing_rest_security
byDavid Blevins
 

What's hot

PPTX
Web Cache Poisoning
byKuldeepPandya5
 
PPTX
Http response splitting
bySharath Unni
 
PDF
Carlos García - Pentesting Active Directory [rooted2018]
byRootedCON
 
PDF
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
PPT
Cache poisoning
byAlexandraLacatus
 
PDF
Carlos García - Pentesting Active Directory Forests [rooted2019]
byRootedCON
 
PDF
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
byFelipe Prado
 
PPTX
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
byBlueHat Security Conference
 
PPTX
External to DA, the OS X Way
byStephan Borosh
 
PDF
Modern Reconnaissance Phase on APT - protection layer
byShakacon
 
PDF
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
byOpenDNS
 
KEY
Apache httpd 2.4 Reverse Proxy
byJim Jagielski
 
PPTX
Death of WAF - GoSec '15
byBrian A. McHenry
 
PDF
DNS over HTTPS
byDaniel Stenberg
 
PPTX
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
byAndrew Morris
 
PDF
Covert Timing Channels using HTTP Cache Headers
byDenis Kolegov
 
PDF
Null HYD VRTDOS
byRaghunath G
 
PDF
2017 JavaOne Deconstructing and Evolving REST Security
byDavid Blevins
 
PDF
Death of Web App Firewall
byBrian A. McHenry
 
PDF
End-to-End Analysis of a Domain Generating Algorithm Malware Family
byCrowdStrike
 
Web Cache Poisoning
byKuldeepPandya5
 
Http response splitting
bySharath Unni
 
Carlos García - Pentesting Active Directory [rooted2018]
byRootedCON
 
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
Cache poisoning
byAlexandraLacatus
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
byRootedCON
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
byFelipe Prado
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
byBlueHat Security Conference
 
External to DA, the OS X Way
byStephan Borosh
 
Modern Reconnaissance Phase on APT - protection layer
byShakacon
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
byOpenDNS
 
Apache httpd 2.4 Reverse Proxy
byJim Jagielski
 
Death of WAF - GoSec '15
byBrian A. McHenry
 
DNS over HTTPS
byDaniel Stenberg
 
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
byAndrew Morris
 
Covert Timing Channels using HTTP Cache Headers
byDenis Kolegov
 
Null HYD VRTDOS
byRaghunath G
 
2017 JavaOne Deconstructing and Evolving REST Security
byDavid Blevins
 
Death of Web App Firewall
byBrian A. McHenry
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
byCrowdStrike
 

Similar to Side-Channels on the Web: Attacks and Defenses

PDF
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
byNoNameCon
 
PPT
HTML5 hacking
byBlueinfy Solutions
 
PPT
Browser Security
byRoberto Suggi Liverani
 
PDF
HEIST: HTTP encrypted information can be stolen through TCP windows
byPriyanka Aash
 
PPT
Dmk bo2 k7_web
byDan Kaminsky
 
PDF
Html5: something wicked this way comes - HackPra
byKrzysztof Kotowicz
 
PPTX
Web Security Attacks
bySajid Hasan
 
PDF
Advanced web application hacking and exploitation
byRafel Ivgi
 
PPTX
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
byOWASP
 
PPTX
Html5 security
byKrishna T
 
PDF
Building Client-Side Attacks with HTML5 Features
byConviso Application Security
 
PDF
Securing your web application through HTTP headers
byAndre N. Klingsheim
 
PDF
Something wicked this way comes - CONFidence
byKrzysztof Kotowicz
 
PDF
Krzysztof kotowicz. something wicked this way comes
byYury Chemerkin
 
PDF
Black hat usa_2015-bypass_surgery-6_aug2015
bya4202655
 
PPTX
[2.1] Web application Security Trends - Omar Ganiev
byOWASP Russia
 
PPTX
Owasp web application security trends
bybeched
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
bySam Bowne
 
PDF
Html5: something wicked this way comes
byKrzysztof Kotowicz
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
bySam Bowne
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
byNoNameCon
 
HTML5 hacking
byBlueinfy Solutions
 
Browser Security
byRoberto Suggi Liverani
 
HEIST: HTTP encrypted information can be stolen through TCP windows
byPriyanka Aash
 
Dmk bo2 k7_web
byDan Kaminsky
 
Html5: something wicked this way comes - HackPra
byKrzysztof Kotowicz
 
Web Security Attacks
bySajid Hasan
 
Advanced web application hacking and exploitation
byRafel Ivgi
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
byOWASP
 
Html5 security
byKrishna T
 
Building Client-Side Attacks with HTML5 Features
byConviso Application Security
 
Securing your web application through HTTP headers
byAndre N. Klingsheim
 
Something wicked this way comes - CONFidence
byKrzysztof Kotowicz
 
Krzysztof kotowicz. something wicked this way comes
byYury Chemerkin
 
Black hat usa_2015-bypass_surgery-6_aug2015
bya4202655
 
[2.1] Web application Security Trends - Omar Ganiev
byOWASP Russia
 
Owasp web application security trends
bybeched
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
bySam Bowne
 
Html5: something wicked this way comes
byKrzysztof Kotowicz
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
bySam Bowne
 

Recently uploaded

PDF
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
PPTX
Overview-of-Anti-DDoS-Solutions-On-Premise-vs-On-Cloud.pptx
bybunhongkruy
 
PPTX
tacacstrianingforwirelessnetworkengineers
byRaviTejaTammineni
 
PPTX
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
PPTX
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
PPTX
Number_Guessing_Game_Dsbsbssbzboc[1].pptx
byfbinsta3426
 
PPTX
A complete presentation on green computing
byreetapandey0007
 
PPTX
DEMO_ARTS for PowerPoint presentation of beed
bykeyebalagso23
 
PPTX
Why-Enterprises-Should-Build-Their-Own-Core-Network-and-Own-Their-ASN-and-Pub...
bybunhongkruy
 
PDF
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
DOCX
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
PDF
Novi.LMS.Veseli.Cetvrtak.001 (1).pdfjjjj
byzoran radovic
 
PPTX
Dalhousie University Diploma
by文凭办理维多利亚大学购买毕业证学位认证知乎【Q微:1954292140】
 
PDF
LMS.Golconda.Vanredni.Broj.001.pdfjjjjjjj
byzoran radovic
 
PDF
Greetings All Students Update 3 by LDMMIA
by©LDMMIA, ©Reiki Yoga
 
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
Overview-of-Anti-DDoS-Solutions-On-Premise-vs-On-Cloud.pptx
bybunhongkruy
 
tacacstrianingforwirelessnetworkengineers
byRaviTejaTammineni
 
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
Number_Guessing_Game_Dsbsbssbzboc[1].pptx
byfbinsta3426
 
A complete presentation on green computing
byreetapandey0007
 
DEMO_ARTS for PowerPoint presentation of beed
bykeyebalagso23
 
Why-Enterprises-Should-Build-Their-Own-Core-Network-and-Own-Their-ASN-and-Pub...
bybunhongkruy
 
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
Novi.LMS.Veseli.Cetvrtak.001 (1).pdfjjjj
byzoran radovic
 
Dalhousie University Diploma
by文凭办理维多利亚大学购买毕业证学位认证知乎【Q微:1954292140】
 
LMS.Golconda.Vanredni.Broj.001.pdfjjjjjjj
byzoran radovic
 
Greetings All Students Update 3 by LDMMIA
by©LDMMIA, ©Reiki Yoga
 

Side-Channels on the Web: Attacks and Defenses

  • 1.
    Side-Channels on theWeb: Attacks and Defenses Tom Van Goethem @tomvangoethem
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
    What can thebunnies (attackers) do?
  • 7.
    7 Attacker model • Cross-originattack (evil-bunnies.net vs. cute-kittens.com) • Subject to Same-Origin-Policy • Can't extract information directly • Attacker infers information based on state of victim at target site • Logged in or not? • Search query has results? • Launch cross-site requests; can't access response directly • Attack needs to exploit side-channel leaks
  • 8.
  • 9.
  • 10.
    https://evil-bunnies.net https://cute-kittens.com (1) visit malicioussite (2) return malicious JS (3) probe affected resources
  • 11.
    https://evil-bunnies.net https://cute-kittens.com (1) visit malicioussite (2) return malicious JS (3) probe affected resources (4) return user-specific response
  • 12.
    https://evil-bunnies.net https://cute-kittens.com (1) visit malicioussite (2) return malicious JS (3) probe affected resources (4) return user-specific response (5) use side-channel to infer information about response
  • 13.
    13 Response size mayleak information about user state ~183kB
  • 14.
    14 Response size mayleak information about user state ~19kB ~183kB
  • 15.
    15 Nethanel Gelernter andAmir Herzberg. "Cross-site search attacks." Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 2015.
  • 16.
    16 Nethanel Gelernter andAmir Herzberg. "Cross-site search attacks." Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 2015.
  • 17.
  • 18.
    18 XS-Leaks • Server generatesresponse based on user's state • Attacker tries to differentiate between two responses • Examples • Logged in (=> large response) vs. not logged in (=> small response) • User has access to resource (=> 200) vs. no access (=> 404) • Was used to uniquely identify users by giving them access to attacker-controlled resources [1] • Search query has results (=> response with iframe) vs. no results (=> no iframe) [1] Cristian-Alexandru Staicu and Michael Pradel. " Leaky Images: Targeted Privacy Attacks in the Web". Proceedings of the 28th USENIX Security Symposium, 2019.
  • 19.
  • 20.
    time https://cute-kittens.com state_0 state_nstate_1 state_1: browserinitiated connection to target site 1 fewer connection available in pool (e.g. 255 in Chrome) => infer whether endpoint includes resource to certain site
  • 21.
    time https://cute-kittens.com state_0 state_nstate_1 state_2 state_1:browser initiated connection to target site state_2: headers of response are received 1 fewer connection available in pool (e.g. 255 in Chrome) => infer whether endpoint includes resource to certain site Promise returned by fetch() resolved => measure time to generate response + delay/jitter (Tstate_2 - Tstate_1)
  • 22.
    time https://cute-kittens.com state_0 state_nstate_1 state_2state_3 state_1: browser initiated connection to target site state_2: headers of response are received state_3: complete response body received 1 fewer connection available in pool (e.g. 255 in Chrome) => infer whether endpoint includes resource to certain site Promise returned by fetch() resolved => measure time to generate response + delay/jitter (Tstate_2 - Tstate_1) Time returned by Resource Timing API (performance.getEntries()) => measure time to download response (Tstate_3 - Tstate_2)
  • 23.
    time https://cute-kittens.com state_0 state_nstate_1 state_2state_3 state_1: browser initiated connection to target site state_2: headers of response are received state_3: complete response body received state_4 state_4: browser cached response 1 fewer connection available in pool (e.g. 255 in Chrome) => infer whether endpoint includes resource to certain site Promise returned by fetch() resolved => measure time to generate response + delay/jitter (Tstate_2 - Tstate_1) Time returned by Resource Timing API (performance.getEntries()) => measure time to download response (Tstate_3 - Tstate_2) Resource added to HTTP cache; can be requested w/o connection => infer which resources were cached
  • 24.
  • 25.
    25 HEIST • Determine exactresponse size (compressed) • 1 TCP window = 10 TCP packets = 14480 bytes of data • 2nd TCP window can only start after ACK (→ additional round-trip needed) • Response fits in 1 TCP window → 1 RTT, otherwise 2+ RTTs • Use side-channel to detect when first byte is received fetch() promise resolves • Use side-channel to detect when full response is received Resource Timing API • Timing difference < 5ms? Then 1 TCP window, otherwise 2 TCP windows 12
  • 26.
  • 27.
  • 28.
    1st TCP window fetch()resolves PerformanceEntry Timing difference
  • 29.
  • 30.
  • 31.
    1st TCP window ACK … 2ndTCP window fetch() resolves Timing difference (much bigger) PerformanceEntry
  • 32.
    32 • Important prerequisite:reflection of request in response Needed to align on TCP window size • Needs some “window-tuning” for larger responses • Exact size is known after compression Allows for BREACH-like attack Extract secret information such as CSRF token • More information: see whitepaper https://tom.vg/papers/heist_blackhat2016.pdf HEIST
  • 33.
    time https://messenger.com/t/<fb_id> state_0 state_n state_1 state_2state_3 state_1: browser parsed response HTML win.frames.length == 3 state_2: JavaScript replaces iframe ONLY IF user has had contact with <facebook_id> win.frames.length == 2 state_3: iframe has been replaced win.frames.length == 3 const win = window.opener; win.location = `https://messenger.com/t/${facebookID}`; Credits: Ron Masas - http://ronmasas.com/posts/facebook-messenger-vulnerability/
  • 34.
    34 Browser state changes •As soon as a resource is requested, the browser will transition between different “states” • These state changes can be permanent or temporary • Permanent: frame is added to included web page • Temporary: load event is fired • Time and order when state changes occur can be important
  • 35.
    35 Detecting browser statechanges • Two different responses can result in two different state change patterns • Strict requirement for performing practical XS-Leak attack • Attacker includes target endpoint as a resource • E.g. iframe (if no X-Frame-Options + needs rendering) • E.g. window.open (in case of XFO + needs rendering) • E.g. <img>.src (in case no rendering required) • Attacker observes properties/events/… associated with the included resource • E.g. frames.length • May need more advanced resource operations • E.g. first load resource X, then load resource Y
  • 36.
    38 XS-Leaks overview • Responsesize • Timing network connections • Browser-based timing attack (<video>, Cache API, AppCache) • Storage API (fixed , reintroduced for small disk devices, fixed again) • HEIST (TCP level) • Response status • Application Cache (error when resource redirects) • history.length (+1 in case resource redirected) • Resource Timing (difference between start and fetchStart property) • CSP (policy set by attacker, violation in case of redirect to other domain)
  • 37.
    39 XS-Leaks overview (2) •Cache status • AppCache (Cache-control: no-store resources cause error) • Timing (cached resources load much faster) • Resource content and operations • frames.length (for iframe or new opened window) • postMessage() to parent page (may contain sensitive content) • Event loop (spy on pattern of other processes) • Navigate to id (triggers blur event on attacker page) • More techniques likely to be discovered • Check out https://github.com/xsleaks/xsleaks/
  • 38.
  • 39.
    41 XS-Leaks defenses • Twomain approaches 1. Prevent differences in responses 2. Prevent attacker from observing state-changes • Often a combination of both approaches • (1) is purely a server-side effort • (2) is often controlled by response headers that instruct browser • Using SameSite cookies can be very effective • Defends against all attacks except for those based on window.open
  • 40.
    42 XS-Leaks defenses • Differentattack techniques may require different defenses • iframe attacks: set X-Frame-Options or CSP's frame-ancestors • Some defenses are built-in by default • Cross-Origin Read Blocking (CORB) – prevents potentially sensitive response (HTML, JSON, XML) to be in the same renderer as the including document Was originally implemented as a defense against Spectre • Soon: SameSite cookies • Soon: cache partitioning – entries in HTTP cache are bound to top document location (prevents attacker from detecting if a certain resource was cached)
  • 41.
    43 XS-Leaks defenses • Browsermay give information on the nature of the request • Sec-Fetch Metadata: detect illegimate requests • Block such requests or return other content • Certain mechanisms require opt-in from the server • Cross-Origin Opener Policy (COOP) – drops reference to opened window, so attacks using window.open no longer work • Cross-Origin Resource Policy (CORP) – same-site | same-origin | cross- site; similar to CORB: block no-cors cross-origin/cross-site requests Sec-Fetch-Dest: image Sec-Fetch-Mode: no-cors Sec-Fetch-Site: cross-site
  • 42.
    44 XS-Leaks defenses overviews •What can I do (as a web developer)? • Use SameSite attribute on cookies • Prevent framing (X-Frame-Options/CSP frame-ancestors) • Send Cross-Origin-Opener-Policy: same-origin (should be adopted by several browsers soon) • What can I do (as a user)? • Avoid the evil bunnies? • Separate contexts (e.g. incognito; containers extension in Firefox)
  • 43.
  • 44.
    46 Conclusion • Responses oftendepend on the state of the user • XS-Leaks can be used to extract side-channel information on response • Can be used to differentiate two responses • Leaks information on the state of the user (# search results, identity, …) • When browser loads a resource, it undergoes a series of state changes • Pattern of state changes leaks the information • Defenses: SameSite cookies, XFO, new mechanisms coming soon
  • 45.