Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

This is a wiki page dedicated to the side-channels built into the web. Besides the attack mechanisms, the defensive also have just as many pages. I honestly did not know about half of these techniques and most of the mitigations!

The first (and most well-known) technique is the XS Search technique. The attack using timing measurements in a search query to determine if data was sent back or not. If so, keep going. Other, stop and try another letter. Instead of just letters, this can also be done with words and phrases too.

Another attack is about using Error Handling for finding pages that are only available within an internal network.

Frame Counting is where the amount of iFrames on a page are counted. This can be useful for determining the state of a site if multiple iFrames are loaded, depending on a GET parameter.

My favorite attack, mentioned on the list, is the Cache Probing attack. The idea is that is somebody has visited a site, then the content is cached in the web browser. So, by using timing differences or notices from the browser that the data is cached, where the user has visited can be determined. This is particularly useful for social media sites.

In terms of protections, a lot of these attacks are mitigated by having the same-site cookie default to lax instead of none.

There are some additional headers that can be used in order to prevent cross-site attacks, such as Cross-Origin-Resource-Policy, X-Frame-Options and Cross-Origin-Opener-Policy.