Skip to content

Commit

Permalink
Merge branch 'xsleaks:master' into spellcheck
Browse files Browse the repository at this point in the history
  • Loading branch information
NDevTK authored Apr 23, 2024
2 parents c658cab + d0d12dd commit 8da238d
Show file tree
Hide file tree
Showing 13 changed files with 20 additions and 17 deletions.
4 changes: 2 additions & 2 deletions content/docs/attacks/cache-probing.md
Original file line number Diff line number Diff line change
Expand Up @@ -60,15 +60,15 @@ It's also possible to remove resources from cache without server errors. For exa

## CORS error on Origin Reflection misconfiguration

Origin reflection is a behavior in which a globally accessible resource is provided with a [Access-Control-Allow-Orign (ACAO)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin) header whose value reflects the origin that initialized the request. This can be considered as CORS misconfiguration [^5] and can be used to detect whether the resource exists in the browser cache.
Origin reflection is a behavior in which a globally accessible resource is provided with a [Access-Control-Allow-Origin (ACAO)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin) header whose value reflects the origin that initialized the request. This can be considered as CORS misconfiguration [^5] and can be used to detect whether the resource exists in the browser cache.

{{< hint info >}}
For example, Flask framework [promotes](https://flask-cors.readthedocs.io/en/latest/api.htm) origin reflection as the default behavior.
{{< /hint >}}

If a resource hosted on `server.com` is requested from `target.com` then the origin could be reflected in the response headers as: `Access-Control-Allow-Origin: target.com`. If the resource is cached, this information is stored together with the resource in the browser cache. With that, if `attacker.com` tries to fetch the same resource there are two possible scenarios:
- The resource is not in cache: the resource could be fetched and stored together with the `Access-Control-Allow-Origin: attacker.com` header.
- The resource was already in cache: fetch attempt will try to fetch the resource from the cache but it will also generate a CORS error due to the ACAO header value mismatch with the requesting origin (`target.com` origin was expected but `attacker.com` was provided). Here below is provided an example code snippet epxloting this vulnerability to infer the cache status of the victim's browser. [Run demo](https://xsinator.com/testing.html#Cache%20Leak%20(CORS))
- The resource was already in cache: fetch attempt will try to fetch the resource from the cache but it will also generate a CORS error due to the ACAO header value mismatch with the requesting origin (`target.com` origin was expected but `attacker.com` was provided). Here below is provided an example code snippet exploiting this vulnerability to infer the cache status of the victim's browser. [Run demo](https://xsinator.com/testing.html#Cache%20Leak%20(CORS))
```javascript
// The function simply takes a url and fetches it in CORS mode.
// If the fetch raises an error, it will be a CORS error due to the
Expand Down
4 changes: 2 additions & 2 deletions content/docs/attacks/css-injection.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,8 @@ Larger text dimensions can result in the scroll bar being shown,
This scroll bar can have a custom style such as `background: url()` so that it makes a request to an attacker-controlled server when shown. [^3]

## Defense
- Put attacker controled content in its own document this can be done using a iframe with the srcdoc attribute.
Optionaly include the sandbox attbute to isolate the content into its own origin.
- Put attacker controlled content in its own document this can be done using a iframe with the srcdoc attribute.
Optionally include the sandbox attribute to isolate the content into its own origin.
- Use a CSS inliner so global styles get converted.

| [SameSite Cookies (Lax)]({{< ref "/docs/defenses/opt-in/same-site-cookies.md" >}}) | [COOP]({{< ref "/docs/defenses/opt-in/coop.md" >}}) | [Framing Protections]({{< ref "/docs/defenses/opt-in/xfo.md" >}}) | [Isolation Policies]({{< ref "/docs/defenses/isolation-policies" >}}) |
Expand Down
6 changes: 3 additions & 3 deletions content/docs/attacks/css-tricks.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ CSS can be used to trick a user into exposing information such as embedded pixel

## Retrieving user's history
Using the CSS [`:visited`](https://developer.mozilla.org/en-US/docs/Web/CSS/:visited) selector, it’s possible to apply a different style for URLs that have been visited.
Previously it was possible to use [`getComputedStyle()`](https://developer.mozilla.org/en-US/docs/Web/API/Window/getComputedStyle) to detect this difference, but now browsers prevent this by always returing values as if the link was visted and limiting what styles can be applyed using the selector. [^changes-1]
Previously it was possible to use [`getComputedStyle()`](https://developer.mozilla.org/en-US/docs/Web/API/Window/getComputedStyle) to detect this difference, but now browsers prevent this by always returning values as if the link was visited and limiting what styles can be applied using the selector. [^changes-1]
So, it may be needed to trick the user into clicking an area that the CSS has affected.
This can be done using [`mix-blend-mode`](https://developer.mozilla.org/en-US/docs/Web/CSS/mix-blend-mode). [^blend-mode]
There are also ways to do it without user interaction such as by abusing render timings.
Expand All @@ -32,8 +32,8 @@ Multiple bugs were reported about this issue: [^bug-1](https://bugs.chromium.org
## Evil Captcha
Using CSS, it’s possible to take an embed out of context.
An example of this is pretending it’s a captcha as seen in [^leak-2]
This works by setting the width and hight of an embed so that only the target characters are shown,
this may use multiple embeds to change the order of the characters being displayed so that its harder for a user to know what infomation they're providing.
This works by setting the width and height of an embed so that only the target characters are shown,
this may use multiple embeds to change the order of the characters being displayed so that its harder for a user to know what information they're providing.

## Abusing autocomplete
If a website uses text inputs and does not opt-out of [autocomplete](https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete) using ```autocomplete="off"``` it may be possible to leak data such as email addresses by tricking the user into pressing the keys to navigate the autocomplete UI for a javascript focused text input.
Expand Down
2 changes: 1 addition & 1 deletion content/docs/attacks/error-events.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ probeError('https://google.com/');

## Defense

The mitigation of this XS-Leak often varies depending on how applications handle certain resources. The general approach is to adopt consistent behaviors whereever possible. In specific scenarios, applications might use [Subresource Protections]({{< ref "/docs/defenses/design-protections/subresource-protections.md" >}}) to prevent attackers from predicting a URL and going forward with an attack.
The mitigation of this XS-Leak often varies depending on how applications handle certain resources. The general approach is to adopt consistent behaviors wherever possible. In specific scenarios, applications might use [Subresource Protections]({{< ref "/docs/defenses/design-protections/subresource-protections.md" >}}) to prevent attackers from predicting a URL and going forward with an attack.

Finally, without applying bigger changes in the logic of applications, generic web platform security features can be deployed to mitigate this XS-Leak at a larger scale.

Expand Down
4 changes: 2 additions & 2 deletions content/docs/attacks/navigations.md
Original file line number Diff line number Diff line change
Expand Up @@ -120,9 +120,9 @@ setTimeout(() => {
## Server-Side Redirects

### Max redirects
When a page initiates a chain of 3XX redirects, browsers limit the maximum number of redirects to 20 [^spec-redirects]. This can be used to detect the exact number of redirects occured for a cross-origin page by following the below approach [^redirect-leak]:
When a page initiates a chain of 3XX redirects, browsers limit the maximum number of redirects to 20 [^spec-redirects]. This can be used to detect the exact number of redirects occurred for a cross-origin page by following the below approach [^redirect-leak]:
1. As a malicious website, initiate 19 redirects and make the final 20th redirect to the attacked page.
2. If the browser threw a network error, at least one redirect occured. Repeat the process with 18 redirects.
2. If the browser threw a network error, at least one redirect occurred. Repeat the process with 18 redirects.
3. If the browser didn't threw a network error, the number of redirects is known as `20 - issued_redirects`.

*To detect an error one can use [Error Events]({{< ref "/docs/attacks/error-events.md" >}})*
Expand Down
2 changes: 1 addition & 1 deletion content/docs/attacks/timing-attacks/connection-pool.md
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ async function isConnected2(url, max = 50) {
await isConnected2('https://example.com/404');
```

## Skipping dependences
## Skipping dependencies
If a connection is exhausted or there’s to many sockets open then requests for code from a host may fail resulting in different behaviour.
The following examples are by design a DoS attack for both the client and server.
Open a lot of sockets: (ERR_CONNECTION_CLOSED, ERR_INSUFFICIENT_RESOURCES)
Expand Down
2 changes: 1 addition & 1 deletion content/docs/attacks/timing-attacks/performance-api.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ await isFrameBlocked('https://example.org');
# Detecting cached resources

With the `performance` API it is possible to detect whether a resource was cached or not.
Unless [Cross-Origin Read Blocking]({{< ref "../../defenses/secure-defaults/corb.md" >}}) is triggered (resource is html) the resource will get cached in the processs of the check. [Run demo](https://xsinator.com/testing.html#Duration%20Redirect%20Leak)
Unless [Cross-Origin Read Blocking]({{< ref "../../defenses/secure-defaults/corb.md" >}}) is triggered (resource is html) the resource will get cached in the process of the check. [Run demo](https://xsinator.com/testing.html#Duration%20Redirect%20Leak)
```javascript
async function ifCached2(url) {
let href = new URL(url).href;
Expand Down
3 changes: 3 additions & 0 deletions content/docs/contributions/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -99,3 +99,6 @@ In addition, we would also like to acknowledge the users who [contributed](https
[Masato Kinugawa](https://github.com/masatokinugawa), [sroettger](https://github.com/sroettger)

And finally, our thanks go to all other amazing researchers that participate in sharing and exploring the depths of XS-Leaks!

## Unofficial Discord server for XS-Leaks enthusiasts
If you’re interested in discussing new, old, or existing XS-Leaks, or simply staying up to date with the community, consider joining the unofficial [Discord server](https://discord.com/invite/w3SV2zP6mz) maintained by our contributors.
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ When deployed together with [Resource Isolation Policy]({{< ref "resource-isolat

## Implementation with Fetch Metadata

The below snippet showcases an example implemention of the Framing Isolation Policy by an application:
The below snippet showcases an example implementation of the Framing Isolation Policy by an application:

```py
# Reject cross-site requests to protect from CSRF, XSSI, XS-Leaks, and other bugs
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ Instead of rejecting all cross-site interactions, the user could be prompted to

## Implementation with Fetch Metadata

The below snippet showcases an example implemention of the Navigation Isolation Policy with the use of [Fetch Metadata]({{< ref "../opt-in/fetch-metadata.md">}}) headers [^secmetadata]:
The below snippet showcases an example implementation of the Navigation Isolation Policy with the use of [Fetch Metadata]({{< ref "../opt-in/fetch-metadata.md">}}) headers [^secmetadata]:

```py
# Reject cross-site requests to protect from clickjacking, XS-Leaks, and other bugs
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ Resource Isolation Policy prevents external websites from requesting your resour

## Implementation with Fetch Metadata

The below snippet showcases an example implemention of the Resource Isolation Policy with the use of [Fetch Metadata]({{< ref "../opt-in/fetch-metadata.md">}}) headers:
The below snippet showcases an example implementation of the Resource Isolation Policy with the use of [Fetch Metadata]({{< ref "../opt-in/fetch-metadata.md">}}) headers:

```py
# Reject cross-origin requests to protect from , XSSI, XS-Leaks, and other bugs
Expand Down
2 changes: 1 addition & 1 deletion content/docs/defenses/opt-in/same-site-cookies.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ The following SameSite cookie modes are available:
SameSite cookies are neither bulletproof [^2] nor can they fix everything. To complement this defense strategy against XS-Leaks, applications should consider implementing other, additional protections. For example, [COOP]({{< ref "coop.md" >}}) can prevent an attacker from controlling pages using a `window` reference after the first navigation even if SameSite cookies in `Lax` mode are used.

{{< hint important >}}
Some browers may not use the default of Lax, So explicitly set the SameSite attrbute to ensure its enforced.
Some browsers may not use the default of Lax, So explicitly set the SameSite attribute to ensure its enforced.
By default, cookies in Chrome without `SameSite` attribute will default to `Lax` mode. However, there is an exception for that behavior for cookies set less than 2 minutes ago that are sent via POST requests. [^3]

[^3]: Cookies default to SameSite=Lax, [link](https://www.chromestatus.com/feature/5088147346030592)
Expand Down
2 changes: 1 addition & 1 deletion themes/book/layouts/partials/docs/footer.html
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@

{{ if and .File .Site.Params.BookRepo .Site.Params.BookEditPath }}
<div>
<a class="flex align-center" href="{{ .Site.Params.BookRepo }}/{{ .Site.Params.BookEditPath }}/{{ .Site.Params.contentDir }}/{{ replace .File.Path "\\" "/" }}" target="_blank" rel="noopener">
<a class="flex align-center" href="{{ .Site.Params.BookRepo }}/{{ .Site.Params.BookEditPath }}{{ .Site.Params.contentDir }}/{{ replace .File.Path "\\" "/" }}" target="_blank" rel="noopener">
<img src="{{ "svg/edit.svg" | relURL }}" class="book-icon" alt="Edit" />
<span>{{ i18n "Edit this article" }}</span>
</a>
Expand Down

0 comments on commit 8da238d

Please sign in to comment.