The “same-site” origin policy (SOP) is a critical piece of online security. While it’s not an internet standard, but rather a rule enforced by internet web browsers, it nonetheless serves to protect users from harm. Except, that is, when it’s circumvented.
In short, SOP controls which web pages are able to access data from other web pages. It means web browsers will allow scripts operating on one webpage to access data on another, but only if both hail from the same origin. For instance, websiteno1.org/example.html can access data on websiteno1.org/otherpage.html, but not from websiteno2.org/notthispage.html. This is done as a security precaution to protect against unauthorized cross-site access.
However, just like burglars wouldn’t necessarily give up at the sight of a closed door or shut window, so would-be cyber attackers try and find ways around SOP in order to carry out attacks. For those without a Web Application Firewall (WAF) for protection, the results can be extremely nasty.
What is an XS-Leak?
One example of an attack designed to circumvent SOP is what is known as an XS-Leak attack. These attacks target the side-channels on web platforms to surreptitiously steal user information from legitimate, trusted websites. This is done by inferring information based on tiny snippets of information exposed when webpages interact with one another.
XS-Leaks are similar to another attack called a Cross-Site Request Forgery (CSRF), except that – where CSRF lets other websites carry out actions on behalf of users – XS-Leaks are used for gathering information about users.
When a user interacts with a website, they have a “state,” used to reveal information such as whether or not they are logged in to a particular site. In addition, states can reveal information like premium membership or admin privileges. Attackers can use knowledge of these different states as part of an XS-Leak. That could share with them information about a user’s local environment, internal networks they’re connected to, or their data in other web applications. In the process, they can prove both a security risk (revealing network information) and a privacy risk (for instance, revealing a target’s sexual orientation.)
XS-Leak incidents have been around for at least two decades, but such attacks continue to show up. As a means to potentially deanonymize information about users in a world in which there’s more focus on privacy all the time, they have the potential to become a larger and larger part of the cyber attack landscape. They can be caused by everything from hardware bugs to browser APIs.
One recent attempt to expand awareness of XS-Leak attacks – and to categorize the various ways that they can happen – was carried out by security researchers from the Niederrhein University of Applied Sciences and Ruhr-Universität Bochum (RUB) in Germany. They discovered 14 novel types of XS-Leak able to be utilized against contemporary web browsers like Mozilla Firefox, Apple’s Safari, Microsoft Edge, and Google Chrome.
They then built a web application tool able to test a total of 34 XS-Leaks (including the 14 newly discovered ones they found) against 56 browser and operating system combinations to determine the vulnerability of each. Called XSinator.com, the freely available XS-Leak browser test suite lets users automatically scan for XS-Leaks vulnerabilities in their mobile or desktop browser with a single click.
It makes it easy to determine whether you are suffering from any vulnerabilities, with successful simulated attacks shown in red (to indicate warnings) and safe browsers shown in green (to indicate that they are safe.) The researchers say that this is part of their work to establish a “clear and systematic understanding” of the root cause of XS-Leak attacks.
Protecting against attacks
Protecting against XS-Leak vulnerabilities is something that every organization should do. Browser vendors are adding more features all the time that can help safeguard against these attacks. As one example, some browsers have begun to implement fetch metadata request headers, which can block certain requests according to their context.
One of the best measures that organizations can employ, however, is the use of a Web Application Firewall (WAF). These cutting edge firewalls work by using signature-based filtering to recognize and block malicious requests to safeguard against attacks such as XS-Leaks. By inspecting web traffic, they can also help protect more broadly against the known vulnerabilities that can affect web applications – which also includes file inclusion, SQL injections, cross-site scripting, and more.
In today’s world, more people than ever rely on connected infrastructure for everything from banking to remote working to communication. As a result, the threat caused by attacks such as XS-Leaks will only become greater. By proactively defending against them, organizations are doing right by their users. It’s an investment that can’t fail to pay off.
Antivirus software is not enough. Apex Technology Services used its decades of IT and cybersecurity
experience to create budget-friendly network security packages every company needs.
Please take a moment to fill out your information so we can contact you directly regarding your request.
The Future of Work: As the world continues to enter a digital age, more technology becomes available that can add ease and optimization to daily busin…
Attack simulation and assessment platform Cyber Front will help businesses and governments enhance their cybersecurity operational resilience.
Technology has become an essential part of our lives. We use it to communicate, learn, and entertain ourselves. As a tech engineer, it is vital to hav…
MindFly and EuroLeague will fit players with a MindFly AI-powered bodycam, letting fans watch, hear and experience everything their favorite player do…
Content creation is the foundation of any successful digital marketing campaign, but that doesn't mean it's easy.
The best digital marketing agenci…