The “same-site” origin policy (SOP) is a critical piece of online security. While it’s not an internet standard, but rather a rule enforced by internet web browsers, it nonetheless serves to protect users from harm. Except, that is, when it’s circumvented.

In short, SOP controls which web pages are able to access data from other web pages. It means web browsers will allow scripts operating on one webpage to access data on another, but only if both hail from the same origin. For instance, websiteno1.org/example.html can access data on websiteno1.org/otherpage.html, but not from websiteno2.org/notthispage.html. This is done as a security precaution to protect against unauthorized cross-site access.

However, just like burglars wouldn’t necessarily give up at the sight of a closed door or shut window, so would-be cyber attackers try and find ways around SOP in order to carry out attacks. For those without a Web Application Firewall (WAF) for protection, the results can be extremely nasty.

What is an XS-Leak?

One example of an attack designed to circumvent SOP is what is known as an XS-Leak attack. These attacks target the side-channels on web platforms to surreptitiously steal user information from legitimate, trusted websites. This is done by inferring information based on tiny snippets of information exposed when webpages interact with one another.

XS-Leaks are similar to another attack called a Cross-Site Request Forgery (CSRF), except that – where CSRF lets other websites carry out actions on behalf of users – XS-Leaks are used for gathering information about users.

When a user interacts with a website, they have a “state,” used to reveal information such as whether or not they are logged in to a particular site. In addition, states can reveal information like premium membership or admin privileges. Attackers can use knowledge of these different states as part of an XS-Leak. That could share with them information about a user’s local environment, internal networks they’re connected to, or their data in other web applications. In the process, they can prove both a security risk (revealing network information) and a privacy risk (for instance, revealing a target’s sexual orientation.)

Categorizing XS-Leaks

XS-Leak incidents have been around for at least two decades, but such attacks continue to show up. As a means to potentially deanonymize information about users in a world in which there’s more focus on privacy all the time, they have the potential to become a larger and larger part of the cyber attack landscape. They can be caused by everything from hardware bugs to browser APIs.

One recent attempt to expand awareness of XS-Leak attacks – and to categorize the various ways that they can happen – was carried out by security researchers from the Niederrhein University of Applied Sciences and Ruhr-Universität Bochum (RUB) in Germany. They discovered 14 novel types of XS-Leak able to be utilized against contemporary web browsers like Mozilla Firefox, Apple’s Safari, Microsoft Edge, and Google Chrome.

They then built a web application tool able to test a total of 34 XS-Leaks (including the 14 newly discovered ones they found) against 56 browser and operating system combinations to determine the vulnerability of each. Called XSinator.com, the freely available XS-Leak browser test suite lets users automatically scan for XS-Leaks vulnerabilities in their mobile or desktop browser with a single click.

It makes it easy to determine whether you are suffering from any vulnerabilities, with successful simulated attacks shown in red (to indicate warnings) and safe browsers shown in green (to indicate that they are safe.) The researchers say that this is part of their work to establish a “clear and systematic understanding” of the root cause of XS-Leak attacks.

Protecting against attacks

Protecting against XS-Leak vulnerabilities is something that every organization should do. Browser vendors are adding more features all the time that can help safeguard against these attacks. As one example, some browsers have begun to implement fetch metadata request headers, which can block certain requests according to their context.

One of the best measures that organizations can employ, however, is the use of a Web Application Firewall (WAF). These cutting edge firewalls work by using signature-based filtering to recognize and block malicious requests to safeguard against attacks such as XS-Leaks. By inspecting web traffic, they can also help protect more broadly against the known vulnerabilities that can affect web applications – which also includes file inclusion, SQL injections, cross-site scripting, and more.

In today’s world, more people than ever rely on connected infrastructure for everything from banking to remote working to communication. As a result, the threat caused by attacks such as XS-Leaks will only become greater. By proactively defending against them, organizations are doing right by their users. It’s an investment that can’t fail to pay off.