CISPA
Browse
cispa_all_3892.pdf (470.29 kB)

The Leaky Web: Automated Discovery of Cross-Site Information Leaks in Browsers and the Web

Download (470.29 kB)
conference contribution
posted on 2023-11-29, 18:25 authored by Jannis RautenstrauchJannis Rautenstrauch, Giancarlo PellegrinoGiancarlo Pellegrino, Ben StockBen Stock
When browsing the web, none of us want sites to infer which other sites we may have visited before or are logged in to. However, attacker-controlled sites may infer this state through browser side-channels dubbed Cross-Site Leaks (XS-Leaks). Although these issues have been known since the 2000s, prior reports mostly found individual instances of issues rather than systematically studying the problem space. Further, actual impact in the wild often remained opaque. To address these open problems, we develop the first automated framework to systematically discover observation channels in browsers. In doing so, we detect and characterize 280 observation channels that leak information cross-site in the engines of Chromium, Firefox, and Safari, which include many variations of supposedly fixed leaks. Atop this framework, we create an automatic pipeline to find XS-Leaks in real-world websites. With this pipeline, we conduct the largest to-date study on XS-Leak prevalence in the wild by performing visit inference and a newly proposed variant cookie acceptance inference attack on the Tranco Top10K. In addition, we test 100 websites for the classic XS-Leak attack vector of login detection. Our results show that XS-Leaks pose a significant threat to the web ecosystem as at least 15%, 34%, and 77% of all tested sites are vulnerable to the three attacks. Also, we present substantial implementation differences between the browsers resulting in differing attack surfaces that matter in the wild. To ensure browser vendors and web developers alike can check their applications for XS-Leaks, we open-source our framework and include an extensive discussion on countermeasures to get rid of XS-Leaks in the near future and ensure new features in browsers do not introduce new XS-Leaks.

History

Preferred Citation

Jannis Rautenstrauch, Giancarlo Pellegrino and Ben Stock. The Leaky Web: Automated Discovery of Cross-Site Information Leaks in Browsers and the Web. In: IEEE Symposium on Security and Privacy (S&P). 2023.

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

IEEE Symposium on Security and Privacy (S&P)

Legacy Posted Date

2023-01-06

Open Access Type

  • Gold

BibTeX

@inproceedings{cispa_all_3892, title = "The Leaky Web: Automated Discovery of Cross-Site Information Leaks in Browsers and the Web", author = "Rautenstrauch, Jannis and Pellegrino, Giancarlo and Stock, Ben", booktitle="{IEEE Symposium on Security and Privacy (S&P)}", year="2023", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC