Skip to content
Eduardo' Vela" Nava (sirdarckcat) edited this page May 1, 2019 · 4 revisions

An assorted list of links and references, for recent proof of concepts see Real World Examples.

Network timing based attacks

Network based attacks suffered from being slow, noisy and often rate limited by DoS protection.

2007 - In Exposing Private Information by Timing Web Applications, Andrew Bortz et al. describe an attack against web servers, in which the time a site takes to respond to a request can be used for leaking information (cross-site timing).

2009 - In Cross-domain search timing, Chris Evans explains how to time the response of a site to figure out if a user is logged in or not, and introduces for the first time the concept of cross-site search.

2015 - In Cross-Site Search Attacks - Technical Report Nethanel Gelernter and Amir Herzberg describe the attack again, but present better attacks based on statistical tests, algorithms, and some application-specific behaviors.

Client-based attacks

Client-based attacks made these attacks more accessible, as attacks required significantly less time to perform, and were significantly more accurate and exploitable than their network-timing counterparts.

2013 - patrojk described how to figure out the identity of a Facebook user by simply checking the image height/width of a Facebook image.

2015 - mala discovered a vulnerability in Flash that allows to read the size of a response cross-domain this was reported to Flash and not fixed.

2015 - In The Clock is Still Ticking, Tom Van Goethem started looking at improvements on the attacks presented in XS-Search by abusing browser APIs.

2016 - As a follow-up blog post and presentation to the previous paper, Tom Van Goethem explained in more detail the attacks presented.

2016 - In the Request and Conquer paper, Tom Van Goethem explained the different types of information leaks and their vectors, and followed with a whatwg discussion.

2016 - Nethanel Gelernter followed up with Advanced Cross Site Search described optimizations to the previous attacks based on "Second Order XS-Search".

(Annex) XSS Filters information leaks

Independently of the work above, there was also a lot of research into information leaks introduced by XSS filters. The connection to XS-Search didn't happen until 2018.

2013 - Emil Lerner found a bug that abused a Chrome's XSS auditor false positive into a more powerful information leak. A similar, but more serious bug was found soon after the fix.

2013 - In Hacking With XSS Auditor Egor Homakov described a bug in Chrome that allowed redirect information to be disclosed.

2014 - In Information theft attacks abusing browser's XSS filter Takeshi Terada described an attack to steal tokens from script elements by brute forcing them.

2015 - In Abusing Chrome's XSS auditor to steal tokens Gareth Heyes described a bug in Chrome that could be used to bruteforce tokens.

2015 - In X-XSS-Nightmare: 1; mode=attack Masato Kinogawa presented attacks against the IE XSS filter to steal content cross-domain.

2018 - In Exposing Intranets with reliable Browser-based Port scanning Gareth Heyes presented a technique for detecting network error pages, which triggered a discussion on Twitter about the XSS auditor and XSS Search.

2019 - In XS-Search abusing the Chrome XSS Auditor LiveOverflow described a challenge in the 35c3ctf inspired by XS-Search and XSS auditor.