cross origin state inference cosi attacks your browser is
play

Cross-Origin State Inference (COSI) Attacks: Your Browser is Leaking - PowerPoint PPT Presentation

Feb 12, 2024 •215 likes •767 views

Cross-Origin State Inference (COSI) Attacks: Your Browser is Leaking Your Secrets Avinash Sudhodanan Soheil Khodayari Juan Caballero 24/02/2020, NDSS 2020 COSI Attack A malicious web site infers the state of a user (the victim) at another web

  1. Cross-Origin State Inference (COSI) Attacks: Your Browser is Leaking Your Secrets Avinash Sudhodanan Soheil Khodayari Juan Caballero 24/02/2020, NDSS 2020

  2. COSI Attack A malicious web site infers the state of a user (the victim) at another web site Alice (victim) 2

  3. COSI Attack A malicious web site infers the state of a user (the victim) at another web site Alice (victim) Web Browser 3

  4. COSI Attack A malicious web site infers the state of a user (the victim) at another web site foo.hotcrp.com Alice (victim) Web Browser 4

  5. COSI Attack A malicious web site infers the state of a user (the victim) at another web site foo.hotcrp.com Paper Paper Alice #278 #997 (victim) Web Browser 5

  6. COSI Attack A malicious web site infers the state of a user (the victim) at another web site foo.hotcrp.com Paper Paper Alice #278 #997 (victim) Malice (Attacker) Web Browser 6

  7. COSI Attack A malicious web site infers the state of a user (the victim) at another web site foo.hotcrp.com Paper Paper Alice #278 #997 (victim) Malice (Attacker) Web Browser 7

  8. COSI Attack A malicious web site infers the state of a user (the victim) at another web site foo.hotcrp.com Paper Paper Alice #278 #997 (victim) Hi Alice, Click here to finalize Malice your reviews for FOO (Attacker) con Web Browser 8

  9. COSI Attack A malicious web site infers the state of a user (the victim) at another web site foo.hotcrp.com Paper Paper Alice #278 #997 (victim) mal-site.com Hi Alice, Click here to finalize Malice your reviews for FOO (Attacker) con Web Browser 9

  10. COSI Attack A malicious web site infers the state of a user (the victim) at another web site foo.hotcrp.com Paper Paper Alice infer state #278 #997 (victim) mal-site.com Hi Alice, Click here to finalize Malice your reviews for FOO (Attacker) con Web Browser 10

  11. COSI Attack A malicious web site infers the state of a user (the victim) at another web site foo.hotcrp.com What does it mean by inferring Paper Paper state at foo.hotcrp.com Alice infer state #278 #997 (victim) mal-site.com Hi Alice, Click here to finalize Malice your reviews for FOO (Attacker) con Web Browser 11

  12. States foo.hotcrp.com mal-site.com COSI Attack: infer state ● Attacker’s goal: infer states ● Known by different names Alice (victim) Web Browser Login Detection, Login Logged In Logged Out Login Oracle Account Type Reviewer Author Admin Owns a review of Does not own a review of Content Ownership paper #278 paper #278 Owns the account Does not own the account Account Ownership Deanonymization user217 user217 12

  13. State-dependent URLs (SD-URLs) URLs returning different responses depending on the requesting browser’s state SD-URL : https://foo.hotcrp.com/api.php/review?p=278 13

  14. State-dependent URLs (SD-URLs) URLs returning different responses depending on the requesting browser’s state SD-URL : https://foo.hotcrp.com/api.php/review?p=278 State Response 14

  15. State-dependent URLs (SD-URLs) URLs returning different responses depending on the requesting browser’s state SD-URL : https://foo.hotcrp.com/api.php/review?p=278 State Response Logged In Reviewer Reviews paper #278 15

  16. State-dependent URLs (SD-URLs) URLs returning different responses depending on the requesting browser’s state SD-URL : https://foo.hotcrp.com/api.php/review?p=278 State Response code = 200 Logged In Reviewer Reviews paper #278 16

  17. State-dependent URLs (SD-URLs) URLs returning different responses depending on the requesting browser’s state SD-URL : https://foo.hotcrp.com/api.php/review?p=278 State Response code = 200 Logged In Reviewer Reviews paper #278 code = 403 Logged In Reviewer Not review paper #278 17

  18. State-dependent URLs (SD-URLs) foo.hotcrp.com mal-site.com infer state foo.hotcrp.com/api.php/review?p=278 State-dependent response SOP Alice (victim) foo.hotcrp.com Web Browser SD-URL : https://foo.hotcrp.com/api.php/review?p=278 State Response code = 200 Logged In Reviewer Reviews paper #278 code = 403 Logged In Reviewer Not review paper #278 18

  19. XS-Leaks Browser side-channels for inferring the response of cross-origin requests Leak Type References Events-Fired [Grossman2006Blog, Goethem2015CCS, Cardwell2011Blog, ..] Object-Properties [Grossman2012Blog, Schwenk2017USENIX, Masas2018Blog..] JS-Error [Grossman2006Blog, Shiflett2006Blog] CSS-Properties [Evans2008Blog] CSP-Violation [Homakov2013Blog, Gulyas2018WPES] Timing [Bortz2007WWW, Evans2009Blog, Goethem2015CCS, ..] AppCache [Lee2015NDSS] 19

  20. Events Fired XS-Leak foo.hotcrp.com mal-site.com <embed infer state foo.hotcrp.com/api.php/review?p=278 src= SD-URL onload=revwr() code = 200 Alice (victim) onerror=notRevwr() > foo.hotcrp.com Web Browser SD-URL : https://foo.hotcrp.com/api.php/review?p=278 State Response code = 200 Logged In Reviewer Reviews paper #278 code = 403 Logged In Reviewer Not review paper #278 20

  21. Events Fired XS-Leak foo.hotcrp.com mal-site.com <embed infer state foo.hotcrp.com/api.php/review?p=278 src= SD-URL onload=revwr() code = 403 Alice (victim) onerror=notRevwr() > foo.hotcrp.com Web Browser SD-URL : https://foo.hotcrp.com/api.php/review?p=278 State Response code = 200 Logged In Reviewer Reviews paper #278 code = 403 Logged In Reviewer Not review paper #278 21

  22. Multiple States, Same Response SD-URL : https://foo.hotcrp.com/api.php/review?p=278 State Response code = 200 Logged In Reviewer Reviews paper #278 code = 403 Logged In Reviewer Not review paper #278 22

  23. Multiple States, Same Response SD-URL : https://foo.hotcrp.com/api.php/review?p=278 State Response code = 200 Logged In Reviewer Reviews paper #278 code = 403 Logged In Reviewer Not review paper #278 code = 200 Logged Out 23

  24. Multiple States, Same Response foo.hotcrp.com mal-site.com <embed infer state foo.hotcrp.com/api.php/review?p=278 src= SD-URL onload=revwr() Response Alice (victim) onerror=notRevwr() > foo.hotcrp.com Web Browser SD-URL : https://foo.hotcrp.com/api.php/review?p=278 State Response code = 200 Logged In Reviewer Reviews paper #278 code = 403 Logged In Reviewer Not review paper #278 code = 200 Logged Out 24

  25. Same Attack Payload, Browser-specific Behavior The same XS-Leak payload may work differently on different browsers foo.hotcrp.com mal-site.com <embed infer state foo.hotcrp.com/api.php/review?p=278 src= SD-URL onload=revwr() 200 Alice (victim) onerror=notRevwr() > foo.hotcrp.com foo.hotcrp.com mal-site.com <link infer state foo.hotcrp.com/api.php/review?p=278 href= SD-URL onload=revwr() 200 onerror=notRevwr() Alice (victim) rel = stylesheet> foo.hotcrp.com 25

  26. Attack Classes 26

  27. Attack Classes Name : 27

  28. Attack Classes Name SD-URL Responses Response A Response B : 28

  29. Attack Classes Name SD-URL Responses XS-Leak Response A Response B Inclusion Manifest. : 29

  30. Attack Classes Name SD-URL Responses XS-Leak Browser Support Response A Response B Inclusion Manifest. Chrome Firefox Edge : 30

  31. Attack Classes Name SD-URL Responses XS-Leak Browser Support Response A Response B Inclusion Manifest. Chrome Firefox Edge ✓ ✓ ✓ EF- code = 200 code = 4xx || 5xx <script> onload / StatusErro content-type = onerror rScript text/javascript : 31

  32. Attack Classes Name SD-URL Responses XS-Leak Browser Support Response A Response B Inclusion Manifest. Chrome Firefox Edge ✓ ✓ ✓ EF- code = 200 code = 4xx || 5xx <script> onload / StatusErro content-type = onerror rScript text/javascript : 32

  33. Attack Classes Name SD-URL Responses XS-Leak Browser Support Response A Response B Inclusion Manifest. Chrome Firefox Edge ✓ ✓ ✓ EF- code = 200 code = 4xx || 5xx <script> onload / StatusErro content-type = onerror rScript text/javascript ● 40 attack classes ● 21 new attack classes ● 1 completely novel XS-Leak (based on postMessage API) 33

  34. New XS-Leak: postMessage broadcasts ● SD-URL property State Response A Broadcasts message “x” B Broadcasts message “y” foo.hotcrp.com mal-site.com infer state window.open(SDURL) Alice (victim) 34

  35. New XS-Leak: postMessage broadcasts ● SD-URL property State Response A Broadcasts message “x” B Broadcasts message “y” foo.hotcrp.com mal-site.com mal-site.com infer state window.open(SDURL) postmessage(“x”, *) Alice (victim) 35

  36. New XS-Leak: postMessage broadcasts ● SD-URL property State Response A Broadcasts message “x” B Broadcasts message “y” foo.hotcrp.com mal-site.com mal-site.com infer state window.open(SDURL) state = A if rcvMsg === “x”{ postmessage(“x”, *) state = “A” Alice (victim) } 36

Recommend

I Know Where Youve Been: ! Geo-Inference Attacks via the Browser Cache ! Yaoqi Jia Yaoqi Jia

I Know Where Youve Been: ! Geo-Inference Attacks via the Browser Cache ! Yaoqi Jia Yaoqi Jia

I Know Where Youve Been: ! Geo-Inference Attacks via the Browser Cache ! Yaoqi Jia Yaoqi Jia , Xinshu Dong , Zhenkai Liang , Prateek Saxena ! School of Computing, National University of Singapore ! Advanced Digital

496 views • 28 slides
WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &amp;

WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &amp;

WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &amp; Defenses 2 Server-side woes Browser mechanisms: Same origin SQL injection Cross-domain request XSS overview Content

738 views • 50 slides
2007 Self morphing viruses 2009 - The Zeus virus Man in the browser attacks no

2007 Self morphing viruses 2009 - The Zeus virus Man in the browser attacks no

2007 Self morphing viruses 2009 - The Zeus virus Man in the browser attacks no browser is safe 2011 300% increase in cyber attacks Who they are Why they do it Who are the targets Our filter processes 3 billion

407 views • 17 slides
Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems Browser same origin policy Key security principle: a web browser permits scripts contained in a first web page to access data in a second web page,

358 views • 22 slides
Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems Browser same origin policy Key security principle: a web browser permits scripts contained in a first web page to access data in a second web page,

1.12k views • 25 slides
Understanding and Combating Man-in-the- Browser Attacks 22 nd Annual FIRST Conference 16 June

Understanding and Combating Man-in-the- Browser Attacks 22 nd Annual FIRST Conference 16 June

Understanding and Combating Man-in-the- Browser Attacks 22 nd Annual FIRST Conference 16 June 2010 Jason Milletary Topics What is a Man-in-the-Browser Attack? How are they used? How can I identify and mitigate when they are

207 views • 18 slides
Corey Clark PhD Daniel Montgomery Web Dev Platform Cross Cross Platform Browser HTML5 Web

Corey Clark PhD Daniel Montgomery Web Dev Platform Cross Cross Platform Browser HTML5 Web

Corey Clark PhD Daniel Montgomery Web Dev Platform Cross Cross Platform Browser HTML5 Web Web WebGL Socket Worker Optimized Parallel Hardware Communication Acceleration Processing Channel Web Workers JaHOVA OS Internal APIs

957 views • 38 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application Popular attacks Cross-site

266 views • 15 slides
Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and

Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and

Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube Tabbed Browsing Rich Content Mash-ups Cookies JSON Ajax Implication of Cross Domain Attacks Implication of Cross Domain Attacks

580 views • 31 slides
A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks Jesse

A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks Jesse

A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks Jesse Elwell 1 Ryan Riley 2 Nael Abu-Ghazaleh 1 Dmitry Ponomarev 1 1 State University of New York at Binghamton Department of Computer Science 2 Qatar

872 views • 76 slides
Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C.

Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C.

Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C. Rossow (1) , F. J. Ryba (2) , T. C. Schmidt (3) , M. Whlisch (2) (1) CISPA / MMCI, Saarland University (2) Freie Universitt Berlin (3) HAW Hamburg

520 views • 36 slides
Agenda Technical background ! Same-Origin Policy ! Compression-based attacks !

Agenda Technical background ! Same-Origin Policy ! Compression-based attacks !

H TTP ! E ncrypted ! I nformation can be ! S tolen through ! T CP-windows by ! Mathy Vanhoef &amp; Tom Van Goethem Agenda Technical background ! Same-Origin Policy ! Compression-based attacks ! SSL/TLS &amp; TCP ! Nitty gritty

804 views • 51 slides
Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and

Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and

Tor website fingerprinting Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and HTTP/2 T.T.N. Marks BSc. K.C.N. Halvemaan BSc. University of Amsterdam System and Network Engineering Research Project #1

664 views • 32 slides
Browser Storage Andrew Sutherland Mozilla DOM Team Current Cross-Browser Storage APIs

Browser Storage Andrew Sutherland Mozilla DOM Team Current Cross-Browser Storage APIs

Browser Storage Andrew Sutherland Mozilla DOM Team Current Cross-Browser Storage APIs Cookies: Synchronous, Strings, Hard Storage Cap LocalStorage: Synchronous, Strings, Hard Storage Cap IndexedDB: Asynchronous, Structured

481 views • 7 slides
Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected

Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected

Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected XSS Persistent XSS Damage done by XSS attacks XSS attacks to befriend with others XSS attacks to change other peoples

3.65k views • 37 slides
Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj

Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj

Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj Singh Gaur 1 , Vijay Laxmi 1 , Tushar Singhal 1 , Mauro Conti 2 1 Malaviya National Institute of Technology, Jaipur, India 2 University of Padua, Italy

882 views • 58 slides
Security Signature Inference for JavaScript-based Browser Addons Vineeth Kashyap , Ben Hardekopf

Security Signature Inference for JavaScript-based Browser Addons Vineeth Kashyap , Ben Hardekopf

Security Signature Inference for JavaScript-based Browser Addons Vineeth Kashyap , Ben Hardekopf University of California Santa Barbara CGO 2014 1 JavaScript-based Browser Addons 2 Addons: JavaScript with High Privileges 3

898 views • 56 slides
Inference attacks on location data S ebastien Gambs Universit e du Qu ebec ` a Montr

Inference attacks on location data S ebastien Gambs Universit e du Qu ebec ` a Montr

Inference attacks on location data S ebastien Gambs Universit e du Qu ebec ` a Montr eal (UQAM), Canada gambs.sebastien@uqam.ca 17 July 2017 S ebastien Gambs Inference attacks on location data 1 Location-based services (LBSs)

524 views • 30 slides
jsprobes cross-platform browser instrumentation using JavaScript Brian Burg (@brrian /

jsprobes cross-platform browser instrumentation using JavaScript Brian Burg (@brrian /

jsprobes cross-platform browser instrumentation using JavaScript Brian Burg (@brrian / burg@cs.uw.edu) Background: browser research template 1 2 3

781 views • 23 slides
Physics Animations that Run in a Web Browser Workshop Agenda IWP Origin Story www.iwphys.org

Physics Animations that Run in a Web Browser Workshop Agenda IWP Origin Story www.iwphys.org

Interactive Web Physics Physics Animations that Run in a Web Browser Workshop Agenda IWP Origin Story www.iwphys.org IWP Animation Library Connectivity Workshop Agenda 2 Steps to Create a Simple Animation Setting up Inputs Setting up Solids

555 views • 38 slides
MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

Software and Web Security 2 MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( ) MitM attack: attacker gets between the browser and the web server, eg eg by setting up a wifi access point

345 views • 9 slides
No Pardon for the Interruption: New Inference Attacks on Android Through Interrupt Timing

No Pardon for the Interruption: New Inference Attacks on Android Through Interrupt Timing

IEEE S&amp;P 2016 No Pardon for the Interruption: New Inference Attacks on Android Through Interrupt Timing Analysis May 24, 2016 Wenrui Diao , Xiangyu Liu, Zhou Li, and Kehuan Zhang 2/18 Motivation -- Hardware and Kernel Mobile platform

700 views • 21 slides
A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick browser to execute code without user knowledge CSRF Trick browser to access sensitive pages without user knowledge CSRF Vulnerability Pattern

284 views • 11 slides

More recommend