Learn To Protect Against XS-Leaks
Written by Nikos Vaggalis   
Thursday, 21 January 2021

There's a brand new Wiki by Google engineers that sets out to educate secuirity developers about cross-site leaks.

Announcing the launch of the new  XS-Leaks wiki on the Google Security blog, Information Security Engineers, Artur Janc and terjanq, comment: 

Increasingly, security issues discovered in modern web applications hinge upon the misuse of long-standing web platform behaviors, allowing unsavory sites to reveal information about the user or their data in other web applications. This class of issues, broadly referred to as cross-site leaks (XS-Leaks), poses interesting challenges for security engineers and web browser developers due to a diversity of attacks and the complexity of building comprehensive defenses.

The wiki itself tells us that:

Cross-site leaks (aka XS-Leaks, XSLeaks) are a class of vulnerabilities derived from side-channels  built into the web platform. They take advantage of the web’s core principle of composability, which allows websites to interact with each other, and abuse legitimate mechanisms to infer information about the user. 

The objective of the wiki is to elucidate the principles behind cross-site leaks, discuss common attacks, and propose defense mechanisms aimed at mitigating these attacks.

It is an open-knowledge base and ask for input from the community in order to be constantly updating and enriching its content. Contributions can happen with pull requests, direct edits and opening Github issues.

As to the material itself, there's two major categories, Attack and Defense.The makers of the wiki advocate that you should first understand how attacks are performed and then learn how to go about defending against them. After all if you want peace, study war...

As far as the Attacks go, we find information on:

  • XS-Search
  • postMessage Broadcasts
  • Frame Counting
  • Error Events etc

As far as the defensive measures go we find information on:

  • Cross-Origin Read Blocking
  • Strict Isolation Policy
  • Framing Protections,
  • SameSite Cookies
  • Cross-Origin-Opener-Policy
  • Cache Protections etc

Saying that, it's not your average information on XSS. The information here is specialized and mostly targets security developers. If on the other hand you are a "simple" developer who needs to understand XSS in layman's terms then it's better to opt for one of the resources I have outlined in the past ih:

XSS Hunter For Pentesting

Hacksplaining - Learn Through Hacking


More Information

XS-Leaks Wiki 

Related Articles

Sharpen Your Hacking Skills With CTFLearn

Carnegie Mellon CyLab Challenge: Learn Hacking At School

Tactical Pentesting With Burp Suite


To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


We Built A Software Engineer

One of the most worrying things about being a programmer today is the threat from AI. It has gone so far that NVIDA CEO Jensen Huang proclaims that you really shouldn't start training as a programmer  [ ... ]

Grafana 11 Improves Metrics

Grafana Labs, creators of the Grafana open-source metrics analytics and visualization suite, has announced the preview release of Grafana 11 with improvements to make it easier to view metrics, and ch [ ... ]

More News

raspberry pi books



or email your comment to: comments@i-programmer.info

Last Updated ( Thursday, 21 January 2021 )