Skip to content

Commit

Permalink
Goedi02 experiments (#99)
Browse files Browse the repository at this point in the history
* Update _index.md

Editorial pass

* Update portals.md

Editorial pass

* Update scroll-to-text-fragment.md

Editorial pass
  • Loading branch information
goedi02 authored Dec 23, 2020
1 parent d4bcaae commit 336a12f
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 10 deletions.
2 changes: 1 addition & 1 deletion content/docs/attacks/experiments/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,4 @@ title: "Experiments"

# Experiments

This section presents XS-Leaks that affect experimental features. These features are usually hidden under a browser preference flag and its corresponding specification under active discussion. It's important to refer these features and follow their development since the early stages to prevent XS-Leaks from happening.
This section presents XS-Leaks that affect experimental features. Experimental features are usually hidden under a browser preference flag and their exact specification is under active discussion. It's important to be aware of these features and follow their development from the early stages of implementation to prevent XS-Leaks from happening.
6 changes: 3 additions & 3 deletions content/docs/attacks/experiments/portals.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,13 @@ category = "Experiments"
menu = "main"
+++

[Portals](https://web.dev/hands-on-portals/) are a new feature of the web similar to `iframes` with more emphasis on speed and user experience. The [`portal`](https://web.dev/hands-on-portals/) element is only available on Chromium-based browsers under a preference flag. The corresponding [specification](https://wicg.github.io/portals/) is still under active discussion.
[Portals](https://web.dev/hands-on-portals/) are a new feature of the web which is similar to `iframes`, but with more emphasis on speed and user experience. The [`portal`](https://web.dev/hands-on-portals/) element is only available on Chromium-based browsers under a preference flag. The corresponding [specification](https://wicg.github.io/portals/) is still under active discussion.

Unfortunately, some research over this new feature found critical issues, including new XS-Leaks [^2].
Unfortunately, research of this new feature has discovered some critical issues, including new XS-Leaks [^2].

## ID Leaks

Portals can be abused as an alternative for the [ID Attribute XS-Leak]({{< ref "../id-attribute.md" >}}). If the website sets [framing protections]({{< ref "../../defenses/opt-in/xfo.md" >}}), the same technique can be applied using the `portal` element instead [^1].
Portals can be abused as an alternative to the [ID Attribute XS-Leak]({{< ref "../id-attribute.md" >}}). If a website sets [framing protections]({{< ref "../../defenses/opt-in/xfo.md" >}}), the same technique can be applied using the `portal` element instead [^1].

## References

Expand Down
12 changes: 6 additions & 6 deletions content/docs/attacks/experiments/scroll-to-text-fragment.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,27 +15,27 @@ Scroll to Text Fragment (STTF) is a new web platform feature that allows users t

## Expected & Discussed Issues

In early discussions for the specification of this feature it was shown that several XS-Leaks could be introduced with a naïve implementation [^1]. The specification considers various attack scenarios [^3], as does some research from Google [^4]. One possible XS-Leak browsers need to be aware of when implementing this feature is:
In early discussions regarding the specification of this feature it was shown that several XS-Leaks could be introduced with a naïve implementation [^1]. The specification considers various attack scenarios [^3], as does research from Google [^4]. One possible XS-Leak browsers need to be aware of when implementing this feature is:

- An attacker can, by embedding a page as an `iframe`, detect whether the page scrolled to the text by listening to the `onblur` of the parent document. This approach is similar to the [ID Attribute XS-Leak]({{< ref "id-attribute.md" >}}). This scenario is mitigated in the Chrome implementation [^5] as it only allows the fragment navigation to occur in top-level navigations.
- An attacker can, by embedding a page as an `iframe`, detect whether the page scrolled to the text by listening to the `onblur` event of the parent document. This approach is similar to the [ID Attribute XS-Leak]({{< ref "id-attribute.md" >}}). This scenario is mitigated in the Chrome implementation [^5], as it only allows fragment navigation to occur in top-level navigations.

## Current Issues

{{< hint warning >}}
These XS-Leaks require some type of markup injection on the target page.
{{< /hint >}}

During the development process of STTF new attacks and tricks to detect a fragment navigation were found. Some of them still work:
During the development process of STTF, new attacks and tricks to detect fragment navigation were found. Some of them still work:

- A web page that embeds an attacker-controlled `iframe` might allow the attacker to determine whether a scroll to the text has occurred. This can be done using the [`IntersectionObserver`](https://developer.mozilla.org/en-US/docs/Web/API/Intersection_Observer_API) API [^2] [^3] [^4].
- If a page contains images with [Lazy Loading](https://web.dev/native-lazy-loading/) an attacker might known if a fragment navigation that included an image occurred by checking whether it was [cached in the browser]({{< ref "../cache-probing.md" >}}). This occurs because [Lazy Loading](https://web.dev/native-lazy-loading/) images are only fetched (and cached) when they appear in the viewport.
- If a page contains images with [Lazy Loading](https://web.dev/native-lazy-loading/), an attacker can detect if fragment navigation that included an image occurred by checking whether the image was [cached in the browser]({{< ref "../cache-probing.md" >}}). This works because [Lazy Loading](https://web.dev/native-lazy-loading/) images are only fetched (and cached) when they appear in the viewport.

{{< hint important >}}
Scroll to Text Fragment is only available in Chrome. Its [draft](https://wicg.github.io/scroll-to-text-fragment/) specification is under active discussion.
{{< /hint >}}

{{< hint info >}}
Scroll to Text Fragment XS-Leaks allow attackers to extract 1 bit of information at a time as it's only possible to observe whether a single word exists on the page and only when a user performed some kind of interaction with the page (e.g. mouse click).
Scroll to Text Fragment XS-Leaks allow attackers to extract 1 bit of information at a time, as it's only possible to observe whether a single word exists on the page and only when a user performed some kind of interaction with the page (e.g. a mouse click).
{{< /hint >}}

## Why is this a problem?
Expand All @@ -44,7 +44,7 @@ Attackers can abuse STTF to leak private information about the user that is disp

### Case Scenarios

- A user is logged in to their National Health System website, where it is possible to access information about the user's past diseases and health problems. An attacker can lure the user to one of their pages and use STTF to possibly infer the user's health details. For example an attacker would find out if the victim suffers from a disease if they detect a page scroll when searching for that disease name.
A user is logged in to their National Health System website, where it is possible to access information about the user's past diseases and health problems. An attacker can lure the user to one of their pages and use STTF to possibly infer the user's health details. For example, an attacker would find out that the victim suffers from a disease if they detect a page scroll when searching for that disease's name.


## References
Expand Down

0 comments on commit 336a12f

Please sign in to comment.