|Learn To Protect Against XS-Leaks|
|Written by Nikos Vaggalis|
|Thursday, 21 January 2021|
There's a brand new Wiki by Google engineers that sets out to educate secuirity developers about cross-site leaks.
Increasingly, security issues discovered in modern web applications hinge upon the misuse of long-standing web platform behaviors, allowing unsavory sites to reveal information about the user or their data in other web applications. This class of issues, broadly referred to as cross-site leaks (XS-Leaks), poses interesting challenges for security engineers and web browser developers due to a diversity of attacks and the complexity of building comprehensive defenses.
The wiki itself tells us that:
Cross-site leaks (aka XS-Leaks, XSLeaks) are a class of vulnerabilities derived from side-channels built into the web platform. They take advantage of the web’s core principle of composability, which allows websites to interact with each other, and abuse legitimate mechanisms to infer information about the user.
The objective of the wiki is to elucidate the principles behind cross-site leaks, discuss common attacks, and propose defense mechanisms aimed at mitigating these attacks.
It is an open-knowledge base and ask for input from the community in order to be constantly updating and enriching its content. Contributions can happen with pull requests, direct edits and opening Github issues.
As to the material itself, there's two major categories, Attack and Defense.The makers of the wiki advocate that you should first understand how attacks are performed and then learn how to go about defending against them. After all if you want peace, study war...
As far as the Attacks go, we find information on:
As far as the defensive measures go we find information on:
Saying that, it's not your average information on XSS. The information here is specialized and mostly targets security developers. If on the other hand you are a "simple" developer who needs to understand XSS in layman's terms then it's better to opt for one of the resources I have outlined in the past ih:
or email your comment to: email@example.com
|Last Updated ( Thursday, 21 January 2021 )|