Learn To Protect Against XS-Leaks
Written by Nikos Vaggalis   
Thursday, 21 January 2021

There's a brand new Wiki by Google engineers that sets out to educate secuirity developers about cross-site leaks.

Announcing the launch of the new  XS-Leaks wiki on the Google Security blog, Information Security Engineers, Artur Janc and terjanq, comment: 

Increasingly, security issues discovered in modern web applications hinge upon the misuse of long-standing web platform behaviors, allowing unsavory sites to reveal information about the user or their data in other web applications. This class of issues, broadly referred to as cross-site leaks (XS-Leaks), poses interesting challenges for security engineers and web browser developers due to a diversity of attacks and the complexity of building comprehensive defenses.

The wiki itself tells us that:

Cross-site leaks (aka XS-Leaks, XSLeaks) are a class of vulnerabilities derived from side-channels  built into the web platform. They take advantage of the web’s core principle of composability, which allows websites to interact with each other, and abuse legitimate mechanisms to infer information about the user. 

The objective of the wiki is to elucidate the principles behind cross-site leaks, discuss common attacks, and propose defense mechanisms aimed at mitigating these attacks.

It is an open-knowledge base and ask for input from the community in order to be constantly updating and enriching its content. Contributions can happen with pull requests, direct edits and opening Github issues.

As to the material itself, there's two major categories, Attack and Defense.The makers of the wiki advocate that you should first understand how attacks are performed and then learn how to go about defending against them. After all if you want peace, study war...

As far as the Attacks go, we find information on:

  • XS-Search
  • postMessage Broadcasts
  • Frame Counting
  • Error Events etc

As far as the defensive measures go we find information on:

  • Cross-Origin Read Blocking
  • Strict Isolation Policy
  • Framing Protections,
  • SameSite Cookies
  • Cross-Origin-Opener-Policy
  • Cache Protections etc

Saying that, it's not your average information on XSS. The information here is specialized and mostly targets security developers. If on the other hand you are a "simple" developer who needs to understand XSS in layman's terms then it's better to opt for one of the resources I have outlined in the past ih:

XSS Hunter For Pentesting

Hacksplaining - Learn Through Hacking

 

More Information

XS-Leaks Wiki 

Related Articles

Sharpen Your Hacking Skills With CTFLearn

Carnegie Mellon CyLab Challenge: Learn Hacking At School

Tactical Pentesting With Burp Suite

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


Facebook Open Sources Mariana Trench
15/10/2021

Facebook has open sourced Mariana Trench, a tool used at Facebook to identify and prevent security and privacy bugs in Android and Java applications.



Democratizing Spatial AI With OAK-D-Lite
29/09/2021

After its resounding success with a Kickstarter Campaign last year for OAK its Depth Sensing  AI Kit, OpenCV has returned with a new Kickstarter, this time for OAK-D-Lite, a smaller device t [ ... ]


More News

square

 



 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Thursday, 21 January 2021 )