Abstract
Cross-site search attacks allow a rogue website to expose private, sensitive user-information from web applications. The attacker exploits timing and other side channels to extract the information, using cleverly-designed cross-site queries.
In this work, we present a systematic approach to the study of cross-site search attacks. We begin with a comprehensive taxonomy, clarifying the relationships between different types of cross-site search attacks, as well as relationships to other attacks. We then present, analyze, and compare cross-site search attacks; We present new attacks that have improved efficiency and can circumvent browser defenses, and compare to already-published attacks. We developed and present a reproducibility framework, which allows study and evaluation of different cross-site attacks and defenses.
We also discuss defenses against cross-site search attacks, for both browsers and servers. We argue that server-based defenses are essential, including restricting cross-site search requests.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the Conference on Computer and Communications Security (2008)
Bortz, A., Boneh, D.: Exposing private information by timing web applications. In: Proceedings of the 16th International Conference on World Wide Web, pp. 621–628. ACM (2007)
Managing Storage. https://developer.chrome.com/apps/offline_storage#managing_quota
Issue 617963: Security: Service workers response size info leak. https://bugs.chromium.org/p/chromium/issues/detail?id=617963
Issue - Chromium. https://bugs.chromium.org/p/chromium/issues/detail?id=1013906
Changes to cross-origin requests in chrome extension content scripts. https://www.chromium.org/Home/chromium-security/extension-content-script-fetches
Cross-origin read blocking for web developers. https://www.chromium.org/Home/chromium-security/corb-for-developers
Cross-Origin Read Blocking (CORB). https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md
DETERLab Capabilities. https://deter-project.org/deterlab_capabilities
Enron Email Dataset, May 2015. https://www.cs.cmu.edu/~enron/
Enron email frontend archive, October 2017. https://github.com/antiboredom/enron-email-archive
Fetch API standards. https://fetch.spec.whatwg.org/#concept-request-credentials-mode
Gelernter, N., Herzberg, A.: Cross-site search attacks. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1394–1405. ACM (2015)
Gelernter, N., Herzberg, A.: Tell me about yourself: the malicious captcha attack. In: Proceedings of the 25th International Conference on World Wide Web, pp. 999–1008. International World Wide Web Conferences Steering Committee (2016)
Gerlenter, N.: Advanced cross-site search attacks. https://owasp.org/www-pdf-archive//AppSecIL2016_AdvancedCrossSiteSearch_NethanelGelernter.pdf
Gilad, Y., Herzberg, A.: Spying in the dark: TCP and tor traffic analysis. In: Fischer-Hübner, S., Wright, M. (eds.) PETS 2012. LNCS, vol. 7384, pp. 100–119. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31680-7_6
GitHub: XS-Search Attacks. https://github.com/barmey/xs-search
Heiderich, M., Niemietz, M., Schuster, F., Holz, T., Schwenk, J.: Scriptless attacks: stealing the pie without touching the sill. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 760–771. ACM (2012)
Huang, L.S., Moshchuk, A., Wang, H.J., Schecter, S., Jackson, C.: Clickjacking: attacks and defenses. In: Presented as Part of the 21st \(\{\)USENIX\(\}\) Security Symposium, \(\{\)USENIX\(\}\) Security 2012, pp. 413–428 (2012)
Meyuhas, B., Herzberg, A., Gelernter, N.: Cross-site search attacks: unauthorized queries over private data (extended version), October 2020. https://www.researchgate.net/publication/344503497_Cross-Site_Search_Attacks_Unauthorized_Queries_over_Private_Data
OWASP: OWASP/CSRFCheatSheet, June 2019. https://github.com/OWASP/CheatSheetSeries
Same-site cookies RFC, April 2016. https://tools.ietf.org/html/draft-west-first-party-cookies-07
Service Workers: An Introduction. https://developers.google.com/web/fundamentals/primers/service-workers/
Smith, C.: 20 Amazing Gmail Statistics, June 2019. https://expandedramblings.com/index.php/gmail-statistics/
Song, D.: Timing analysis of keystrokes and SSH timing attacks. In: Proceedings of 10th USENIX Security Symposium (2001)
Van Goethem, T., Vanhoef, M., Piessens, F., Joosen, W.: Request and conquer: exposing cross-origin resource size. In: 25th \(\{\)USENIX\(\}\) Security Symposium, \(\{\)USENIX\(\}\) Security 2016, pp. 447–462 (2016)
Zalewski, M.: The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press, San Francisco (2012)
Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-tenant side-channel attacks in PaaS clouds. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 990–1003 (2014)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Meyuhas, B., Gelernter, N., Herzberg, A. (2020). Cross-Site Search Attacks: Unauthorized Queries over Private Data. In: Krenn, S., Shulman, H., Vaudenay, S. (eds) Cryptology and Network Security. CANS 2020. Lecture Notes in Computer Science(), vol 12579. Springer, Cham. https://doi.org/10.1007/978-3-030-65411-5_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-65411-5_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-65410-8
Online ISBN: 978-3-030-65411-5
eBook Packages: Computer ScienceComputer Science (R0)