cispa_all_3329.pdf (385.71 kB)

Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks

Download (385.71 kB)
conference contribution
posted on 2023-11-29, 18:14 authored by Avinash Sudhodanan, Soheil KhodayariSoheil Khodayari, Juan Caballero
In a Cross-Origin State Inference (COSI) attack, an attacker convinces a victim into visiting an attack web page, which leverages the cross-origin interaction features of the victim's web browser to infer the victim's state at a target web site. Multiple instances of COSI attacks have been found in the past under different names such as login detection or access detection attacks. But, those attacks only consider two states (e.g., logged in or not) and focus on a specific browser leak method (or XS-Leak). This work shows that mounting more complex COSI attacks such as deanonymizing the owner of an account, determining if the victim owns sensitive content, and determining the victim's account type often requires considering more than two states. Furthermore, robust attacks require supporting a variety of browsers since the victim's browser cannot be predicted apriori. To address these issues, we present a novel approach to identify and build complex COSI attacks that differentiate more than two states and support multiple browsers by combining multiple attack vectors, possibly using different XS-Leaks. To enable our approach, we introduce the concept of a COSI attack class. We propose two novel techniques to generalize existing COSI attack instances into COSI attack classes and to discover new COSI attack classes. We systematically apply our techniques to existing attacks, identifying 40 COSI attack classes. As part of this process, we discover a novel XS-Leak based on window.postMessage. We implement our approach into Basta-COSI, a tool to find COSI attacks in a target web site. We apply Basta-COSI to test four stand-alone web applications and 58 popular web sites, finding COSI attacks against each of them.


Preferred Citation

Avinash Sudhodanan, Soheil Khodayari and Juan Caballero. Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks. In: Network and Distributed System Security Symposium (NDSS). 2020.

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

Network and Distributed System Security Symposium (NDSS)

Legacy Posted Date


Open Access Type

  • Green


@inproceedings{cispa_all_3329, title = "Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks", author = "Sudhodanan, Avinash and Khodayari, Soheil and Caballero, Juan", booktitle="{Network and Distributed System Security Symposium (NDSS)}", year="2020", }

Usage metrics


    No categories selected


    Ref. manager