Finding All Cross-Site Needles in the DOM Stack: A Comprehensive Methodology for the Automatic XS-Leak Detection in Web Browsers
Authors: 
Dominik Trevor Noß, Lukas Knittel, Christian Mainka, Marcus Niemietz, Jörg SchwenkAuthors Info & Claims
Dominik Trevor Noß, Lukas Knittel, Christian Mainka, Marcus Niemietz, Jörg SchwenkAuthors Info & ClaimsPages 2456 - 2470
Abstract
Cross-Site Leaks (XS-Leaks) are a class of vulnerabilities that allow a web attacker to infer user state from a target web application cross-origin. Fixing XS-Leaks is a cat-and-mouse game: once a published vulnerability is fixed, a variant is discovered. To end this game, we propose a methodology to find all leak techniques for a given state-dependent resource and a set of inclusion method. We translate a website's DOM at runtime into a directed graph. We execute this translation twice, once for each state. The outputs are two slightly different graphs. We then get the set of all leak techniques by computing these two graphs' differences. The remaining nodes and edges differ between the two states, and the corresponding DOM properties and objects can be observed cross-origin.
We implemented AutoLeak, our open-source solution for automatically detecting known and yet unknown XS-Leaks in web browsers and websites. For our systematic study, we focus on XS-Leak test cases for web browsers with detectable differences induced by HTTP headers. We created and evaluated a total of 151776 test cases in Chrome, Firefox, and Safari. AutoLeak executed them automatically without human interaction and identified up to 8403 leak techniques per test case. On top, AutoLeak's systematic evaluation uncovers 5 novel classes of XS-Leaks based on leak techniques that allow detecting novel HTTP headers cross-origin. We show the applicability of our methodology on 24 web sites in the Tranco Top 50 and uncovered XS-Leaks in 20 of them.
References
[1]
2019. Attempt to plug an information leak represented by http status. https://github.com/kohler/hotcrp/commit/ 406a966aad00a762460fbc62cfb04a7532fc9fbd
[2]
2022. Fetch Standard, CORS protocol and credentials. https:// fetch.spec.whatwg.org/#cors-protocol-and-credentials
[3]
2022. The HTTP archive. https://httparchive.org/
[4]
David Auber, Daniel Archambault, Romain Bourqui, Maylis Delest, Jonathan Dubois, Antoine Lambert, Patrick Mary, Morgan Mathiaut, Guy Melanc con, Bruno Pinaud, Benjamin Renoust, and Jason Vallet. 2017. TULIP 5. In Encyclopedia of Social Network Analysis and Mining, Reda Alhajj and Jon Rokne (Eds.). Springer, 1--28. https://doi.org/10.1007/978-1-4614-7163-9_315-1
[5]
Adam Barth, Joel Weinberger, and Dawn Song. 2009. Cross-Origin Javascript Capability Leaks: Detection, Exploitation, and Defense. In Proceedings of the 18th Conference on USENIX Security Symposium (Montreal, Canada) (SSYM'09). USENIX Association, USA, 187--198.
[6]
Jason Bau, Jonathan Mayer, Hristo Paskov, and John C Mitchell. 2013. A promising direction for web tracking countermeasures. Proceedings of W2SP (2013).
[7]
Celery. 2023. Celery: Distributed task queue. https://github.com/celery/celery
[8]
Mongo DB. 2023. Mongo DB Website. https://www.mongodb.com/
[9]
MDN Web Docs. 2022a. HTTP Headers: Cache-Control. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control.
[10]
MDN Web Docs. 2022b. MDN Web Docs. https://developer.mozilla.org/.
[11]
MDN Web Docs. 2022c. PerformanceResourceTiming nextHopProtocol. https://developer.mozilla.org/en-US/docs/Web/API/PerformanceResourceTiming/nextHopProtocol.
[12]
MDN Web Docs. 2023. State Partitioning. https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning.
[13]
Edward W. Felten and Michael A. Schneider. 2000. Timing attacks on Web privacy. In Conference on Computer and Communications Security.
[14]
Ilya Grigorik and Charles Vazac. 2022. Server Timing. W3C Working Draft. W3C. https://www.w3.org/TR/server-timing/#privacy-and-security.
[15]
Aric A. Hagberg, Daniel A. Schult, and Pieter J. Swart. 2008. Exploring Network Structure, Dynamics, and Function using NetworkX. In Proceedings of the 7th Python in Science Conference, Gaël Varoquaux, Travis Vaught, and Jarrod Millman (Eds.). Pasadena, CA USA, 11--15.
[16]
Mario Heiderich. 2020. HTTPLeaks. https://github.com/cure53/HTTPLeaks.
[17]
Mario Heiderich, Marcus Niemietz, Felix Schuster, Thorsten Holz, and Jörg Schwenk. 2012. Scriptless Attacks: Stealing the Pie without Touching the Sill. In ACM SIGSAC Conference on Computer and Communications Security (2012). ACM, ACM Press, 760--771. https://doi.org/10.1145/2382196.2382276
[18]
Luan Herrera. 2021. Guessing the URL a cross-origin iframe was redirected to by listening to the load event. https://crbug.com/1248444.
[19]
Umar Iqbal, Peter Snyder, Shitong Zhu, Benjamin Livshits, Zhiyun Qian, and Zubair Shafiq. 2018. AdGraph: A Graph-Based Approach to Ad and Tracker Blocking. https://doi.org/10.48550/ARXIV.1805.09155
[20]
Travi J. 2012. What does it mean global namespace would be polluted? https://stackoverflow.com/questions/8862665/what-does-it-mean-global-namespace-would-be-polluted/13352212.
[21]
Artur Janc and Mike West. 2020. Oh, the Places You'll Go ! Finding Our Way Back from the Web Platform's Ill-conceived Jaunts. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW ) (Genoa, Italy). IEEE, IEEE, 673--680. https://doi.org/10.1109/eurospw51379.2020.00096
[22]
Soroush Karami, Faezeh Kalantari, Mehrnoosh Zaeifi, Xavier J. Maso, Erik Trickel, Panagiotis Ilia, Yan Shoshitaishvili, Adam Doupé, and Jason Polakis. 2022. Unleash the Simulacrum: Shifting Browser Realities for Robust Extension-Fingerprinting Prevention. In USENIX Security Symposium. USENIX Association.
[23]
Soheil Khodayari and Giancarlo Pellegrino. 2022. The State of the SameSite : Studying the Usage, Effectiveness, and Adequacy of SameSite Cookies. In IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society. https://publications.cispa.saarland/3504/
[24]
Soheil Khodayari and Giancarlo Pellegrino. 2023. It's (DOM ) Clobbering Time : Attack Techniques, Prevalence, and Defenses. IEEE Symposium on Security and Privacy (S&P) (2023).
[25]
Lukas Knittel, Christian Mainka, Marcus Niemietz, Dominik Trevor Noß, and Jörg Schwenk. 2021. XSinator. com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 1771--1788.
[26]
Sebastian Lekies, Ben Stock, Martin Wentzel, and Martin Johns. 2015. The Unexpected Dangers of Dynamic JavaScript. In USENIX Security Symposium (2015). USENIX Association, 723. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/lekies
[27]
Bo Li, Phani Vadrevu, Kyu Hyung Lee, and Roberto Perdisci. 2018. JSgraph: Enabling Reconstruction of Web Attacks via Efficient Tracking of Live In-Browser JavaScript Executions. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2019. The Internet Society. https://www.ndss-symposium.org/wp-content/uploads/2018/02/ndss2018_07B-4_Li_paper.pdf
[28]
Milica Mihajlija. 2022. Cookies having independent partitioned state (CHIPS). https://developer.chrome.com/docs/privacy-sandbox/chips/
[29]
Mozilla. 2022. Firefox Source Code. https://hg.mozilla.org/.
[30]
Jannis Rautenstrauch, Giancarlo Pellegrino, and Ben Stock. 2023. The Leaky Web: Automated Discovery of Cross-Site Information Leaks in Browsers and the Web. In IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society.
[31]
Jörg Schwenk, Marcus Niemietz, and Christian Mainka. 2017. Same-Origin Policy: Evaluation in Modern Browsers. In USENIX Security Symposium. USENIX Association, 713--727. https://doi.org/10.5555/3241189.3241245
[32]
Peter Snyder, Soroush Karami, Benjamin Livshits, and Hamed Haddadi. 2023. Pool-Party: Exploiting Browser Resource Pools as Side-Channels for Web Tracking. In 32th USENIX Security Symposium (USENIX Security 23).
[33]
Cristian-Alexandru Staicu and Michael Pradel. 2019. Leaky Images: Targeted Privacy Attacks in the Web. In USENIX Security Symposium. USENIX Association, 923--939.
[34]
Oleksii Starov and Nick Nikiforakis. 2017. XHOUND: Quantifying the Fingerprintability of Browser Extensions. In 2017 IEEE Symposium on Security and Privacy (SP). 941--956. https://doi.org/10.1109/SP.2017.18
[35]
Avinash Sudhodanan, Soheil Khodayari, and Juan Caballero. 2020. Cross-Origin State Inference (COSI ) Attacks: Leaking Web Site States through XS-Leaks. In Network and Distributed System Security Symposium (San Diego, CA). Internet Society. https://doi.org/10.14722/ndss.2020.24278
[36]
Tom Van Goethem, Gertjan Franken, Iskander Sanchez-Rola, David Dworken, and Wouter Joosen. 2022. SoK: Exploring Current and Future Research Directions on XS-Leaks through an Extended Formal Model. In ACM Asia Conference on Computer and Communications Security (ASIACCS ) (New York, NY, USA, 2022-05-30) (ASIA CCS '22). ACM Press, 784--798. https://doi.org/10.1145/3488932.3517416
[37]
W3C. 2022. The web-platform-tests Project. https://wpt.fyi/.
[38]
Yoav Weiss and Noam Rosenthal. 2022. Resource Timing Level 2. W3C Working Draft. W3C. https://www.w3.org/TR/2022/WD-resource-timing-2-20220706/.
[39]
Mike West. 2021. Content Security Policy: Embedded Enforcement. W3C Editor's Draft. W3C. https://w3c.github.io/webappsec-cspee/.
[40]
John Wilander. 2019. Preventing Tracking Prevention Tracking. https://webkit.org/blog/9661/preventing-tracking-prevention-tracking/.
[41]
Takashi Yoneuchi. 2019a. Issue 1038036: Security: Cross-Origin (Partial) Status Code Leakage. https://crbug.com/1038036.
[42]
Takashi Yoneuchi. 2019b. XS-Leak with Resource Timing API and CSP Embedded Enforcement. https://crbug.com/1105875.
[43]
Mojtaba Zaheri and Reza Curtmola. 2021. Leakuidator: Leaky Resource Attacks and Countermeasures. In Security and Privacy in Communication Networks - 17th EAI International Conference, SecureComm 2021, Proceedings (2021). Springer Science and Business Media Deutschland GmbH, 143--163. https://doi.org/10.1007/978-3-030-90022-9_8
Index Terms
- Finding All Cross-Site Needles in the DOM Stack: A Comprehensive Methodology for the Automatic XS-Leak Detection in Web Browsers
Recommendations
XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications SecurityCross-Site Leaks (XS-Leaks) describe a client-side bug that allows an attacker to collect side-channel information from a cross-origin HTTP resource. They are a significant threat to Internet privacy since simply visiting a web page may reveal if the ...
Client-side cross-site scripting protection
Web applications are becoming the dominant way to provide access to online services. At the same time, web application vulnerabilities are being discovered and disclosed at an alarming rate. Web applications often make use of JavaScript code that is ...
On the I/O characteristics of the mobile web browsers
SAC '18: Proceedings of the 33rd Annual ACM Symposium on Applied ComputingRecent advancement of mobile device technologies played a key role in increasing the user base, and a large number of people are using the device to gather information and browse the Internet. Web browsers are in the center of such activities. In this ...
Comments
Information & Contributors
Information
Published In
November 2023
3722 pages
ISBN:9798400700507
DOI:10.1145/3576915
- General Chairs:
- Weizhi Meng,
- Christian D. Jensen,
- Program Chairs:
- Cas Cremers,
- Engin Kirda
Copyright © 2023 Owner/Author.
This work is licensed under a Creative Commons Attribution-ShareAlike International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 21 November 2023
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- Deutsche Forschungsgemeinschaft (DFG German Research Foundation) under Germany's Excellence Strategy - EXC 2092 CASA
- Industrie 4.0 Recht-Testbed by Ministry of Economics and Technology (BMWi)
- North-Rhine Westphalian Experts in Research on Digitalization (NERD II) by the state of North Rhine-Westfalia
Conference
CCS '23
Sponsor:
CCS '23: ACM SIGSAC Conference on Computer and Communications Security
November 26 - 30, 2023
Copenhagen, Denmark
Acceptance Rates
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 813Total Downloads
- Downloads (Last 12 months)751
- Downloads (Last 6 weeks)107
Reflects downloads up to 24 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in