Nothing Special   »   [go: up one dir, main page]

skip to main content
10.1145/3576915.3616598acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article
Open access

Finding All Cross-Site Needles in the DOM Stack: A Comprehensive Methodology for the Automatic XS-Leak Detection in Web Browsers

Published: 21 November 2023 Publication History

Abstract

Cross-Site Leaks (XS-Leaks) are a class of vulnerabilities that allow a web attacker to infer user state from a target web application cross-origin. Fixing XS-Leaks is a cat-and-mouse game: once a published vulnerability is fixed, a variant is discovered. To end this game, we propose a methodology to find all leak techniques for a given state-dependent resource and a set of inclusion method. We translate a website's DOM at runtime into a directed graph. We execute this translation twice, once for each state. The outputs are two slightly different graphs. We then get the set of all leak techniques by computing these two graphs' differences. The remaining nodes and edges differ between the two states, and the corresponding DOM properties and objects can be observed cross-origin.
We implemented AutoLeak, our open-source solution for automatically detecting known and yet unknown XS-Leaks in web browsers and websites. For our systematic study, we focus on XS-Leak test cases for web browsers with detectable differences induced by HTTP headers. We created and evaluated a total of 151776 test cases in Chrome, Firefox, and Safari. AutoLeak executed them automatically without human interaction and identified up to 8403 leak techniques per test case. On top, AutoLeak's systematic evaluation uncovers 5 novel classes of XS-Leaks based on leak techniques that allow detecting novel HTTP headers cross-origin. We show the applicability of our methodology on 24 web sites in the Tranco Top 50 and uncovered XS-Leaks in 20 of them.

References

[1]
2019. Attempt to plug an information leak represented by http status. https://github.com/kohler/hotcrp/commit/ 406a966aad00a762460fbc62cfb04a7532fc9fbd
[2]
2022. Fetch Standard, CORS protocol and credentials. https:// fetch.spec.whatwg.org/#cors-protocol-and-credentials
[3]
2022. The HTTP archive. https://httparchive.org/
[4]
David Auber, Daniel Archambault, Romain Bourqui, Maylis Delest, Jonathan Dubois, Antoine Lambert, Patrick Mary, Morgan Mathiaut, Guy Melanc con, Bruno Pinaud, Benjamin Renoust, and Jason Vallet. 2017. TULIP 5. In Encyclopedia of Social Network Analysis and Mining, Reda Alhajj and Jon Rokne (Eds.). Springer, 1--28. https://doi.org/10.1007/978-1-4614-7163-9_315-1
[5]
Adam Barth, Joel Weinberger, and Dawn Song. 2009. Cross-Origin Javascript Capability Leaks: Detection, Exploitation, and Defense. In Proceedings of the 18th Conference on USENIX Security Symposium (Montreal, Canada) (SSYM'09). USENIX Association, USA, 187--198.
[6]
Jason Bau, Jonathan Mayer, Hristo Paskov, and John C Mitchell. 2013. A promising direction for web tracking countermeasures. Proceedings of W2SP (2013).
[7]
Celery. 2023. Celery: Distributed task queue. https://github.com/celery/celery
[8]
Mongo DB. 2023. Mongo DB Website. https://www.mongodb.com/
[9]
MDN Web Docs. 2022a. HTTP Headers: Cache-Control. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control.
[10]
MDN Web Docs. 2022b. MDN Web Docs. https://developer.mozilla.org/.
[11]
MDN Web Docs. 2022c. PerformanceResourceTiming nextHopProtocol. https://developer.mozilla.org/en-US/docs/Web/API/PerformanceResourceTiming/nextHopProtocol.
[12]
MDN Web Docs. 2023. State Partitioning. https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning.
[13]
Edward W. Felten and Michael A. Schneider. 2000. Timing attacks on Web privacy. In Conference on Computer and Communications Security.
[14]
Ilya Grigorik and Charles Vazac. 2022. Server Timing. W3C Working Draft. W3C. https://www.w3.org/TR/server-timing/#privacy-and-security.
[15]
Aric A. Hagberg, Daniel A. Schult, and Pieter J. Swart. 2008. Exploring Network Structure, Dynamics, and Function using NetworkX. In Proceedings of the 7th Python in Science Conference, Gaël Varoquaux, Travis Vaught, and Jarrod Millman (Eds.). Pasadena, CA USA, 11--15.
[16]
Mario Heiderich. 2020. HTTPLeaks. https://github.com/cure53/HTTPLeaks.
[17]
Mario Heiderich, Marcus Niemietz, Felix Schuster, Thorsten Holz, and Jörg Schwenk. 2012. Scriptless Attacks: Stealing the Pie without Touching the Sill. In ACM SIGSAC Conference on Computer and Communications Security (2012). ACM, ACM Press, 760--771. https://doi.org/10.1145/2382196.2382276
[18]
Luan Herrera. 2021. Guessing the URL a cross-origin iframe was redirected to by listening to the load event. https://crbug.com/1248444.
[19]
Umar Iqbal, Peter Snyder, Shitong Zhu, Benjamin Livshits, Zhiyun Qian, and Zubair Shafiq. 2018. AdGraph: A Graph-Based Approach to Ad and Tracker Blocking. https://doi.org/10.48550/ARXIV.1805.09155
[20]
Travi J. 2012. What does it mean global namespace would be polluted? https://stackoverflow.com/questions/8862665/what-does-it-mean-global-namespace-would-be-polluted/13352212.
[21]
Artur Janc and Mike West. 2020. Oh, the Places You'll Go ! Finding Our Way Back from the Web Platform's Ill-conceived Jaunts. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW ) (Genoa, Italy). IEEE, IEEE, 673--680. https://doi.org/10.1109/eurospw51379.2020.00096
[22]
Soroush Karami, Faezeh Kalantari, Mehrnoosh Zaeifi, Xavier J. Maso, Erik Trickel, Panagiotis Ilia, Yan Shoshitaishvili, Adam Doupé, and Jason Polakis. 2022. Unleash the Simulacrum: Shifting Browser Realities for Robust Extension-Fingerprinting Prevention. In USENIX Security Symposium. USENIX Association.
[23]
Soheil Khodayari and Giancarlo Pellegrino. 2022. The State of the SameSite : Studying the Usage, Effectiveness, and Adequacy of SameSite Cookies. In IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society. https://publications.cispa.saarland/3504/
[24]
Soheil Khodayari and Giancarlo Pellegrino. 2023. It's (DOM ) Clobbering Time : Attack Techniques, Prevalence, and Defenses. IEEE Symposium on Security and Privacy (S&P) (2023).
[25]
Lukas Knittel, Christian Mainka, Marcus Niemietz, Dominik Trevor Noß, and Jörg Schwenk. 2021. XSinator. com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 1771--1788.
[26]
Sebastian Lekies, Ben Stock, Martin Wentzel, and Martin Johns. 2015. The Unexpected Dangers of Dynamic JavaScript. In USENIX Security Symposium (2015). USENIX Association, 723. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/lekies
[27]
Bo Li, Phani Vadrevu, Kyu Hyung Lee, and Roberto Perdisci. 2018. JSgraph: Enabling Reconstruction of Web Attacks via Efficient Tracking of Live In-Browser JavaScript Executions. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2019. The Internet Society. https://www.ndss-symposium.org/wp-content/uploads/2018/02/ndss2018_07B-4_Li_paper.pdf
[28]
Milica Mihajlija. 2022. Cookies having independent partitioned state (CHIPS). https://developer.chrome.com/docs/privacy-sandbox/chips/
[29]
Mozilla. 2022. Firefox Source Code. https://hg.mozilla.org/.
[30]
Jannis Rautenstrauch, Giancarlo Pellegrino, and Ben Stock. 2023. The Leaky Web: Automated Discovery of Cross-Site Information Leaks in Browsers and the Web. In IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society.
[31]
Jörg Schwenk, Marcus Niemietz, and Christian Mainka. 2017. Same-Origin Policy: Evaluation in Modern Browsers. In USENIX Security Symposium. USENIX Association, 713--727. https://doi.org/10.5555/3241189.3241245
[32]
Peter Snyder, Soroush Karami, Benjamin Livshits, and Hamed Haddadi. 2023. Pool-Party: Exploiting Browser Resource Pools as Side-Channels for Web Tracking. In 32th USENIX Security Symposium (USENIX Security 23).
[33]
Cristian-Alexandru Staicu and Michael Pradel. 2019. Leaky Images: Targeted Privacy Attacks in the Web. In USENIX Security Symposium. USENIX Association, 923--939.
[34]
Oleksii Starov and Nick Nikiforakis. 2017. XHOUND: Quantifying the Fingerprintability of Browser Extensions. In 2017 IEEE Symposium on Security and Privacy (SP). 941--956. https://doi.org/10.1109/SP.2017.18
[35]
Avinash Sudhodanan, Soheil Khodayari, and Juan Caballero. 2020. Cross-Origin State Inference (COSI ) Attacks: Leaking Web Site States through XS-Leaks. In Network and Distributed System Security Symposium (San Diego, CA). Internet Society. https://doi.org/10.14722/ndss.2020.24278
[36]
Tom Van Goethem, Gertjan Franken, Iskander Sanchez-Rola, David Dworken, and Wouter Joosen. 2022. SoK: Exploring Current and Future Research Directions on XS-Leaks through an Extended Formal Model. In ACM Asia Conference on Computer and Communications Security (ASIACCS ) (New York, NY, USA, 2022-05-30) (ASIA CCS '22). ACM Press, 784--798. https://doi.org/10.1145/3488932.3517416
[37]
W3C. 2022. The web-platform-tests Project. https://wpt.fyi/.
[38]
Yoav Weiss and Noam Rosenthal. 2022. Resource Timing Level 2. W3C Working Draft. W3C. https://www.w3.org/TR/2022/WD-resource-timing-2-20220706/.
[39]
Mike West. 2021. Content Security Policy: Embedded Enforcement. W3C Editor's Draft. W3C. https://w3c.github.io/webappsec-cspee/.
[40]
John Wilander. 2019. Preventing Tracking Prevention Tracking. https://webkit.org/blog/9661/preventing-tracking-prevention-tracking/.
[41]
Takashi Yoneuchi. 2019a. Issue 1038036: Security: Cross-Origin (Partial) Status Code Leakage. https://crbug.com/1038036.
[42]
Takashi Yoneuchi. 2019b. XS-Leak with Resource Timing API and CSP Embedded Enforcement. https://crbug.com/1105875.
[43]
Mojtaba Zaheri and Reza Curtmola. 2021. Leakuidator: Leaky Resource Attacks and Countermeasures. In Security and Privacy in Communication Networks - 17th EAI International Conference, SecureComm 2021, Proceedings (2021). Springer Science and Business Media Deutschland GmbH, 143--163. https://doi.org/10.1007/978-3-030-90022-9_8

Index Terms

  1. Finding All Cross-Site Needles in the DOM Stack: A Comprehensive Methodology for the Automatic XS-Leak Detection in Web Browsers

        Recommendations

        Comments

        Please enable JavaScript to view thecomments powered by Disqus.

        Information & Contributors

        Information

        Published In

        cover image ACM Conferences
        CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security
        November 2023
        3722 pages
        ISBN:9798400700507
        DOI:10.1145/3576915
        This work is licensed under a Creative Commons Attribution-ShareAlike International 4.0 License.

        Sponsors

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        Published: 21 November 2023

        Check for updates

        Author Tags

        1. autoleak
        2. browsers
        3. graphs
        4. privacy
        5. web security
        6. xs-leaks

        Qualifiers

        • Research-article

        Funding Sources

        • Deutsche Forschungsgemeinschaft (DFG German Research Foundation) under Germany's Excellence Strategy - EXC 2092 CASA
        • Industrie 4.0 Recht-Testbed by Ministry of Economics and Technology (BMWi)
        • North-Rhine Westphalian Experts in Research on Digitalization (NERD II) by the state of North Rhine-Westfalia

        Conference

        CCS '23
        Sponsor:

        Acceptance Rates

        Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

        Upcoming Conference

        CCS '25

        Contributors

        Other Metrics

        Bibliometrics & Citations

        Bibliometrics

        Article Metrics

        • 0
          Total Citations
        • 808
          Total Downloads
        • Downloads (Last 12 months)746
        • Downloads (Last 6 weeks)102
        Reflects downloads up to 21 Dec 2024

        Other Metrics

        Citations

        View Options

        View options

        PDF

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        Login options

        Media

        Figures

        Other

        Tables

        Share

        Share

        Share this Publication link

        Share on social media