[OPD 2019] Side-Channels on the Web: Attacks and Defenses

Side-Channels on the Web:
Attacks and Defenses
Tom Van Goethem
@tomvangoethem

cute-kittens.com cute-puppies.com

cute-kittens.com cute-puppies.com
evil-bunnies.com
BUNNIES ATTACK!

What can the bunnies (attackers) do?

Same-origin Policy
evil-bunnies.com
cute-kittens.com
<img src="//cute-kittens.com/img">

Same-origin Policy
evil-bunnies.com
cute-kittens.com
fetch("//cute-kittens.com/fetch", {
"method": "POST",
"credentials": "include",
"body": "bunnies=best"
});
Access to fetch at 'http://cute-kittens.com/'
from origin 'http://evil-bunnies.com' has been
blocked by CORS policy:
No 'Access-Control-Allow-Origin' header is
present on the requested resource. If an
opaque response serves your needs, set the
request's mode to 'no-cors' to fetch the
resource with CORS disabled.

Same-origin Policy
evil-bunnies.com
cute-kittens.com
fetch("//cute-kittens.com/fetch", {
"mode": "no-cors",
"method": "POST",
"credentials": "include",
"body": "bunnies=best"
});

Same-origin Policy
evil-bunnies.com
cute-kittens.com
<iframe src="//cute-kittens.com/iframe">
</iframe>
frames[0].document
Uncaught DOMException: Blocked a frame with
origin "http://evil-bunnies.com" from accessing
a cross-origin frame.

Same-origin Policy
evil-bunnies.com
cute-kittens.com
<iframe src="//cute-kittens.com/iframe">
</iframe>
frames[0].length => 5

• Try to leak information about cross-origin responses
• Indirectly: certain browser/web features leak meta-information
• Does the server return an image?
• <img> onerror vs. <img> onload
• Is resource cached by the browser?
• E.g. use timing information
• How many iframes does a resource contain?
• E.g. use frames.length
• Many more, see https://github.com/xsleaks/xsleaks
Side-channel attacks on the web (XSLeaks)

12
Cross-site size-exposing attacks

Size may leak information about user state
~19kB
~183kB

Gelernter, Nethanel, and Amir Herzberg. "Cross-site search attacks." Proceedings of the 22nd ACM SIGSAC Conference on Computer and
Communications Security (CCS). ACM, 2015.

Cross-site timing attacks
• State-dependent content
15
victim
<img src="https://cute-kittens.com/index.hmtl">
cute-kittens.com
Start timer
Stop timer
error event
 Logged in or not?
 #items in online basket
Network latency and
instability
evil-bunnies.com

victim
Start timer
Stop timer
[1] Van Goethem et al. The Clock is Still Ticking: Timing Attacks in the Modern Web. In Proceedings of the 22nd ACM SIGSAC Conference
on Computer and Communications Security (CCS '15). ACM, New York, NY, USA, 1382-1393.
 Abuse of firing events during parsing process
- suspend when fetched
- error on fail
<video src="https://doggo-bank.com/index.hmtl">
suspend
error
cute-kittens.comevil-bunnies.com
Browser-based timing attacks

Video Parsing Attack
17
Video Parsing Attack
let video = document.createElement('video');
// suspend => download complete
video.addEventListener('suspend',function(){
start = window.performance.now();
});
// error => parsing complete
video.addEventListener('error',function(){
end = window.performance.now();
});
video.src = 'https://example.org/resource';
CACHE MANIFEST
CACHE:
https://example.org/resource
NETWORK:
*
appcache.manifest

Defense: Cross-Origin Read Blocking (CORB)
• Prevents potentially sensitive filetypes to be loaded in same renderer
• Defense against speculative execution attacks
Sensitive document not in same process => can not be leaked
• Enabled by default
• Only available in Chrome & Edge

Cache Storage Attack
19
Cache Storing Attack
let url = 'https://example.org/resource';
let opts = {credentials: "include", mode: "no-cors"};
let request = new Request(url, opts);
let bogusReq = new Request('/bogus');
fetch(request).then(function(resp) {
// Resource download complete
start = window.performance.now();
return cache.put(bogusReq, resp.clone())
}).then(function() {
// Resource stored in cache
end = window.performance.now();
});

Browser-based response size leakage
• Can differentiate resources that differ only few kB
• Video parsing mechanisms already patched
New features may cause new side-channels (e.g. SRI, image parsing, …)?
• Real-world attacks can be improved by using response inflation
One result is repeated many times → difference in response size is artificially enlarged
• Attacks discovered in 2015; bug hunters starting to leverage techniques
21

[OPD 2019] Side-Channels on the Web: Attacks and Defenses

HEIST
HTTP
Encrypted
Information can be
Stolen through
TCP Windows

HEIST
• Determine exact response size (compressed)
• 1 TCP window = 10 TCP packets = 14480 bytes of data
• 2nd TCP window can only start after ACK (--> additional round-trip needed)
• Response fits in 1 TCP window --> 1 RTT, otherwise 2+ RTTs
• Use side-channel to detect when headers are received
fetch() promise resolves
• Use side-channel to detect when full response is received
Cache API store + read
• Timing difference < 5ms --> 1 TCP window, otherwise 2 TCP windows
24

1st TCP window
fetch() resolves cache store + read finishes
Timing difference

1st TCP window
ACK
…
2nd TCP window

1st TCP window
ACK
…
2nd TCP window
fetch() resolves
Timing difference (much bigger)
cache store + read finishe

• Important prerequisite: reflection of request in response
Needed to align on TCP window size
• Exact size is known after compression
Allows for BREACH-like attack
31
HEIST

32
Hello $_GET['name'], your secret value is VOLGA_CTF
gzip(Hello Tom, your secret value is VOLGA_CTF)
?name=Tom
==> Hello Tom, your secret value is VOLGA_CTF
gzip(Hello VOLG, your secret value is VOLGA_CTF)
?name=VOLG
==> Hello VOLG, your secret value is {@-27,4}A_CTF

33
gzip(Hello SWAGB, your secret value is VOLGA_CTF)
?name=VOLGB
==> Hello VOLGB, you secret value is {@-27,4}A_CTF
gzip(Hello VOLGA, your secret value is VOLGA_CTF)
?name=VOLGA
==> Hello VOLGA, you secret value is {@-28,5}_CTF
→ 42 bytes
→ 41 bytes

• Can be used to extract cross-origin secrets (CSRF tokens)
• Defense: disable compression for sensitive content
https://blog.cloudflare.com/a-solution-to-compression-oracles-on-the-web/
Not widely deployed, requires regex to know what is sensitive
• Defense: refresh tokens after N requests
Can be tricky + what about other sensitive content?
• Large-scale impact: to be explored
34
HEIST

Storage API &
Quota Management
Attack

Abusing Storage Quota
• Each site (eTLD+1) has a specific quota
IndexedDB, localStorage, …
Cross origin resources (!!!)
• When quota is reached, any attempt to store more is blocked
• Can be used to determine exact size of cross-origin resource
• Exact size --> defenses against response inflation do not work
36

39
Quota
Step 1: fill
Step 2: remove x x

40
Quota
Step 1: fill
Step 2: remove x
Step 3: store resource
x

41
Quota
Step 1: fill
Step 2: remove x
Step 4: fill
x
y

42
Quota
Step 1: fill
Step 2: remove x
Step 4: fill
Step 5: x - y = PROFIT
x
y

Quota Management API
• Developers may want to know how many bytes are available/used
• Quota API returns “estimate”
In reality, the estimate provided exact number of bytes
• Attack becomes super easy
x = getEstimate(); store(crossOriginResource); y = getEstimate(); size = y - x;
43

Storage/Quota API status
• Fixes have been deployed
For every stored cross-origin resource, a random number of bytes (approx. 7MB in
Chrome) count towards the quota
• Low-impact solution, highly effective
No performance impact; small usability impact (for sites that store many cross-orgin
resources)
Very few attack scenarios left
Maybe abuse global quota & trigger website to store resource same-origin (highly unlikely)
44

Same-site cookie
• Cookie with extra attribute SameSite
SameSite=strict  NO CROSS-SITE REQUESTS!
SameSite=lax  exceptions: top-level GET, prerender
• Soon Lax will be the default in Chrome (& other browsers?)
• In-depth defense against cross-site attacks
46
[1] West, M., Goodwin, M. Same-site cookies. Internet- Draft draft-ietf-httpbis-cookie-same-site-00, IETF
Secretariat, June 2016.

• Cross-origin Read Blocking (CORB)
Blocks rendering sensitive content
• Cross-origin Resource Policy (CORP)
Allows web developers to determine how their resources are included
In development
• Sec-Fetch Metadata
Request headers that give information to web application how request was triggered
• Cache partitioning
Browser cache is keyed to top-document origin & cookie origin
Prevents cache-based attacks
• Cross-Origin Opener Policy (COOP)
Removes reference to opened window (and thereby attacks that rely on it)
Other defenses

[OPD 2019] Side-Channels on the Web: Attacks and Defenses

More Related Content

What's hot (20)

Similar to [OPD 2019] Side-Channels on the Web: Attacks and Defenses (20)

More from OWASP (20)

Recently uploaded (20)