Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van Goethem
0 likes138 views
The document discusses various security vulnerabilities in modern web browsers, specifically highlighting issues related to XSLeaks that can leak sensitive user information and metadata through timing and size analysis of web requests. It covers the implications of HTTP/2 and the differences in how browsers handle cross-origin resource policy, including new security features aimed at mitigating these risks. The author emphasizes the need for better web security practices to prevent attackers from exploiting these vulnerabilities.
![const url = 'https://example.com/url';
fetch(url).then((response) => {
// first byte of response received
const firstByte = performance.now();
});
const entry = performance.getEntriesByName(url)[0];
// last byte of response received
const lastByte = entry.responseEnd;
if (lastByte - firstByte < 5) {
// 1 TCP window
} else {
// multiple TCP windows
}](https://image.slidesharecdn.com/tom-help-my-browser-is-leaking-200911213013/85/Help-my-browser-is-leaking-Exploring-XSLeaks-attacks-and-defenses-Tom-Van-Goethem-46-320.jpg)
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van Goethem
- 2. The modern-day browser Processing and rendering resources HTTP/2 or HTTP/1.1 over TLS over TCP Cache and local storage Many, many, many features
- 7. • Leak security information • CSRF token (may lead to full account compromise) • Determine the user’s identity • Spear phishing • User profiling • Perform search queries under the victim’s credentials • Leak secrets that only the victim has access to • Extract privacy-sensitive content • Which websites is the user logged in to? An attacker may try to… 5
- 8. • Same-origin policy prevents site-A from accessing contents of site-B • XSLeaks abuse side-channel information to leak metadata information • Response timing • Firing of events (order & time) • Size of response • … • Metadata is dependent on the state of the user • Search query has results → large response • No results → small response XSLeaks 6
- 9. • Response status • Redirect (30x), 404, … • Cache status • Cached resources load much faster • Rendered content & operations • frames.length • postMessage() • … 7 Categories of XSLeaks
- 10. • Browser-based timing side-channels • HEIST Response size Server processing time • Timeless timing attacks In this presentation…
- 19. <h1>17 transactions</h1> <ul> <li>2017-06-19 $1,337,000 NSA hack</li> <li>2020-09-04 $31,337 NNC hack</li> ...
- 20. <h1>17 transactions</h1> <ul> <li>2017-06-19 $1,337,000 NSA hack</li> <li>2020-09-04 $31,337 NNC hack</li> ...
- 21. <h1>17 transactions</h1> <ul> <li>2017-06-19 $1,337,000 NSA hack</li> <li>2020-09-04 $31,337 NNC hack</li> ...
- 22. • Measures time download resource • Accuracy depends on Internet connection of the victim • Not under control of the attacker • Jitter may render attack ineffective • Need attack that is not affected by network conditions… 11 const start = performance.now(); fetch('https://example.com/url').then((response) => { const end = performance.now(); analyze(end - start); });
- 23. • Timing starts after resource has been downloaded • Not affected by network condition • Time to parse resource as video depends on its size • Has been mitigated • Error is thrown before response is parsed • Chrome: CORB - Firefox: MIME-type checking 12 const video = document.createElement('video'); let start; video.addEventListener('suspend', () => { start = performance.now(); }); video.addEventListener('error', () => { const end = performance.now(); analyze(end - start); }); video.src = 'https://example.com/url';
- 24. • Timing starts after resource has been downloaded • Not affected by network condition • Time to add/remove resource from cache is related to size • Mitigated in Chrome: CORB • Still possible to abuse in Firefox 13 const cache = await caches.open('nnc'); const url = 'https://example.com/url'; const opts = {"credentials": "include", "mode": "no-cors"}; const resp = await fetch(url, opts); const bogusReq = '/foo' + Math.random(); const start = performance.now(); await cache.put(bogusReq, resp.clone()); await cache.delete(bogusReq); const end = performance.now(); analyze(end - start);
- 25. • Operations performed on resources after they have been downloaded • Not affected by network conditions of victim • Examples: • Parsing resource in a specific format • Persisting resource to disk • Effective countermeasures: discard operations on cross-origin resources before any operations Browser-basedTiming Attacks 14
- 26. HEIST
- 28. example.com
- 29. example.com GET /url HTTP/1.1 Origin: example.com Accept: text/html
- 30. example.com GET /url HTTP/1.1 Origin: example.com Accept: text/html TLS
- 31. example.com GET /url HTTP/1.1 Origin: example.com Accept: text/html TLS TCP
- 32. example.com GET /url HTTP/1.1 Origin: example.com Accept: text/html TLS TCP 481 bytes
- 33. example.com GET /url HTTP/1.1 Origin: example.com Accept: text/html TLS TCP HTTP/1.1 200 OK Content-Type: text/html Content-Length: 9840 <!DOCTYPE html><html>... 481 bytes
- 34. example.com GET /url HTTP/1.1 Origin: example.com Accept: text/html TLS TCP HTTP/1.1 200 OK Content-Type: text/html Content-Length: 9840 <!DOCTYPE html><html>... 481 bytes 1448 bytes
- 35. example.com GET /url HTTP/1.1 Origin: example.com Accept: text/html TLS TCP HTTP/1.1 200 OK Content-Type: text/html Content-Length: 9840 <!DOCTYPE html><html>... 481 bytes 1448 bytes 1448 bytes
- 36. example.com GET /url HTTP/1.1 Origin: example.com Accept: text/html TLS TCP HTTP/1.1 200 OK Content-Type: text/html Content-Length: 9840 <!DOCTYPE html><html>... 481 bytes 1448 bytes 1448 bytes 1448 bytes
- 37. example.com GET /url HTTP/1.1 Origin: example.com Accept: text/html TLS TCP HTTP/1.1 200 OK Content-Type: text/html Content-Length: 9840 <!DOCTYPE html><html>... 481 bytes 1448 bytes 1448 bytes 1448 bytes ...
- 38. example.com
- 39. example.com
- 40. example.com
- 41. example.com
- 42. example.com 10 TCP packets (= 1 TCP window)
- 43. example.com 10 TCP packets (= 1 TCP window) ACK
- 44. example.com 10 TCP packets (= 1 TCP window) ... ACK rest of response
- 45. • Response is <= 14480 bytes: everything fits in single TCP window • Response is > 14480 bytes: multiple TCP windows required • Server needs to wait for ACK from client • Additional round-trip • Detect one or multiple round-trips? => leak information about size TCP windows 19
- 46. const url = 'https://example.com/url'; fetch(url).then((response) => { // first byte of response received const firstByte = performance.now(); }); const entry = performance.getEntriesByName(url)[0]; // last byte of response received const lastByte = entry.responseEnd; if (lastByte - firstByte < 5) { // 1 TCP window } else { // multiple TCP windows }
- 47. • GZIP uses backreferences to compress content GZIP compression 21 <html> <h1>Welcome {{username}}</h1> ... secret=NoNameCon ... <html> <h1>Welcome Tom</h1> ... secret=NoNameCon ... <html> <h1>Welcome secret=</h1> ... @-17,7NoNameCon ...
- 48. <html> <h1>Welcome {{username}}</h1> ... secret=NoNameCon ... <html> <h1>Welcome secret=a</h1> ... @-17,7NoNameCon ... <html> <h1>Welcome secret=N</h1> ... @-17,8oNameCon ... 8900 bytes 8899 bytes
- 49. • Correct character guess: 1 byte less • Pad resource to one TCP window • Reflecting URL parameters • HTTP/2: using other resources • Correct guess: one TCP window = one RTT • vs. Incorrect guess: two TCP windows = multiple RTT • Leak secrets byte by byte HEIST 23
- 50. • Browser-based timing side-channel • Estimate of size • HEIST • Exact size (after padding) • After compression (=> leak secrets) 24 Response size Server processing time • Timeless timing attacks • HTTP/2 • Concurrency
- 52. • Typical timing attack • Heavily affected by network jitter • Can we do better? 26 const start = performance.now(); fetch('https://example.com/url').then((response) => { const end = performance.now(); analyze(end - start); });
- 54. • IF two requests arrive at the same time • And are processed in parallel • We know which one took longer to process • By simply looking at the response order TimelessTiming Attacks 28
- 55. • Major improvement in HTTP/2: concurrency • We can execute multiple requests in parallel over a single connection • TCP congestion windows also apply to the client • Sending large request (or multiple): need to wait for ACK from server before sending more than one TCP window • While waiting for ACK, following requests are added to same TCP packet HTTP/2 29
- 56. example.com
- 62. example.com 10 TCP packets (= 1 TCP window) POST /large
- 63. example.com 10 TCP packets (= 1 TCP window) POST /largeGET /url1
- 64. example.com 10 TCP packets (= 1 TCP window) POST /largeGET /url1
- 65. example.com 10 TCP packets (= 1 TCP window) POST /largeGET /url1 GET /url2
- 66. example.com 10 TCP packets (= 1 TCP window) POST /largeGET /url1 GET /url2
- 67. example.com 10 TCP packets (= 1 TCP window) ACK POST /largeGET /url1 GET /url2
- 68. fetch('https://example.com/large', { "method": "POST", "body": largeString }); let first; fetch('https://example.com/url1').then(() => { first = first || 'url1'; }); fetch('https://example.com/url2').then(() => { first = first || 'url2'; });
- 69. • Can distinguish timing differences up to 100 times smaller • In certain cases as small as 150ns • Possible to exploit timing attacks that were previously not possible to exploit • Generic technique, CDNs can pose some limitations TimelessTiming Attacks 32
- 70. • Many relatively new security features that aim to “fix” the Web • CORB, CORP, COEP, COOP, SameSite cookies, SecFetch-* • Aim to limit “bad” functionality that has been pestering the Web • Cookies should not be included in cross-site requests • It should not be possible to “play with” cross-site responses • Attacker shouldn’t be able to endlessly interfere with cross-origin windows • … • Most effective when enabled by default • Finding balance between breaking functionality and guaranteeing security Defenses 33
- 71. • Browsers leak metadata about cross-origin resources • Can be used to extract sensitive content from users • In this presentation: • Leaking the size: estimate/exact • Leaking server processing time: 100x more accurate • Independent of network conditions • Defenses aim to remove the bad legacy features from the Web • Intervention from websites still required Conclusion 34