Learn To Protect Against XS-Leaks
Written by Nikos Vaggalis   
Thursday, 21 January 2021

There's a brand new Wiki by Google engineers that sets out to educate secuirity developers about cross-site leaks.

Announcing the launch of the new  XS-Leaks wiki on the Google Security blog, Information Security Engineers, Artur Janc and terjanq, comment: 

Increasingly, security issues discovered in modern web applications hinge upon the misuse of long-standing web platform behaviors, allowing unsavory sites to reveal information about the user or their data in other web applications. This class of issues, broadly referred to as cross-site leaks (XS-Leaks), poses interesting challenges for security engineers and web browser developers due to a diversity of attacks and the complexity of building comprehensive defenses.

The wiki itself tells us that:

Cross-site leaks (aka XS-Leaks, XSLeaks) are a class of vulnerabilities derived from side-channels  built into the web platform. They take advantage of the web’s core principle of composability, which allows websites to interact with each other, and abuse legitimate mechanisms to infer information about the user. 

The objective of the wiki is to elucidate the principles behind cross-site leaks, discuss common attacks, and propose defense mechanisms aimed at mitigating these attacks.

It is an open-knowledge base and ask for input from the community in order to be constantly updating and enriching its content. Contributions can happen with pull requests, direct edits and opening Github issues.

As to the material itself, there's two major categories, Attack and Defense.The makers of the wiki advocate that you should first understand how attacks are performed and then learn how to go about defending against them. After all if you want peace, study war...

As far as the Attacks go, we find information on:

  • XS-Search
  • postMessage Broadcasts
  • Frame Counting
  • Error Events etc

As far as the defensive measures go we find information on:

  • Cross-Origin Read Blocking
  • Strict Isolation Policy
  • Framing Protections,
  • SameSite Cookies
  • Cross-Origin-Opener-Policy
  • Cache Protections etc

Saying that, it's not your average information on XSS. The information here is specialized and mostly targets security developers. If on the other hand you are a "simple" developer who needs to understand XSS in layman's terms then it's better to opt for one of the resources I have outlined in the past ih:

XSS Hunter For Pentesting

Hacksplaining - Learn Through Hacking

 

More Information

XS-Leaks Wiki 

Related Articles

Sharpen Your Hacking Skills With CTFLearn

Carnegie Mellon CyLab Challenge: Learn Hacking At School

Tactical Pentesting With Burp Suite

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner

Avi Wigderson Gains Turing Award
16/04/2024

Israeli mathematician and computer scientist, Avi Wigderson, is the recipient of the 2023 ACM A.M Turing Award which carries a $1 million prize with financial support from Google.


+ Full Story
Interact With Virtual Historic Computers
14/04/2024

Alan Turing's ACE computer is a legendary computer that is particularly special for I Programmer - our account of it was the first ever history article on the site when it launched in 2009. Now this i [ ... ]


+ Full Story
More News

raspberry pi books

 

Comments




or email your comment to: comments@i-programmer.info
Last Updated ( Thursday, 21 January 2021 )