Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Side channels are extremely hard to stop. From timing to power differences, doing everything perfectly is incredibly hard to do. Even in modern browsers, there are still some issues lurking around that are exploitable.

The cornerstone of browser security is the Same Origin Policy (SOP). This provides isolation of resources between Web origins. However, the barrier between origins is not as tight as we think. In the land of side-channel attacks, working around the SOP to leak data across origins is known as cross-site leaks (XSLeaks). A cool wiki page with all of these techniques being documented exists as well. These range from cross-site search to counting the amount of frames in a page.

Recently, the paper Leaky Images: Targeted Privacy Attacks in the Web went after de-anonymising users across origins using shared resource functionality. This paper used the fact that a logged in user will be able to see a shared file while others users will be redirected somewhere else. By sharing with a user, an attacker can know that something visiting their site has had this resource shared with them.

The paper looked at cookie based auth viewing for images; they now have to be properly signed.

Since the top-level navigation was happening, this could only deal with a single request. However, we want to de-anonymize from a group with a reasonable time! The author needed to find a way to block the top-level navigation to make this feasible while still getting the information. GET-based HTML-form submission counts as a top-level navigation; as such, it carries cookies marked SameSite=Lax.

Additionally, they learned about the form-action Content-Security Policy (CSP) directive. On Chromium based browsers, the directive is even enforced on redirects. By using this, we can now handle the different options (redirect & top level navigation), where the redirect can be handled by the securitypolicyviolation event, multiple times.

This can be turned into a binary search, assuming that the user is in the workspace. For instance, we can have a unique collection of groups in Slack to check if they have access to a file or not. By adding users to specific groups this can be used as a fingerprinting technique to determine which user is on the page.

XS Leaks are really crazy in practice but SO hard to pull off. This is a great article and I'm excited to see more like this in the future.