Learn To Protect Against XS-Leaks
Written by Nikos Vaggalis   
Thursday, 21 January 2021

There's a brand new Wiki by Google engineers that sets out to educate secuirity developers about cross-site leaks.

Announcing the launch of the new  XS-Leaks wiki on the Google Security blog, Information Security Engineers, Artur Janc and terjanq, comment: 

Increasingly, security issues discovered in modern web applications hinge upon the misuse of long-standing web platform behaviors, allowing unsavory sites to reveal information about the user or their data in other web applications. This class of issues, broadly referred to as cross-site leaks (XS-Leaks), poses interesting challenges for security engineers and web browser developers due to a diversity of attacks and the complexity of building comprehensive defenses.

The wiki itself tells us that:

Cross-site leaks (aka XS-Leaks, XSLeaks) are a class of vulnerabilities derived from side-channels  built into the web platform. They take advantage of the web’s core principle of composability, which allows websites to interact with each other, and abuse legitimate mechanisms to infer information about the user. 

The objective of the wiki is to elucidate the principles behind cross-site leaks, discuss common attacks, and propose defense mechanisms aimed at mitigating these attacks.

It is an open-knowledge base and ask for input from the community in order to be constantly updating and enriching its content. Contributions can happen with pull requests, direct edits and opening Github issues.

As to the material itself, there's two major categories, Attack and Defense.The makers of the wiki advocate that you should first understand how attacks are performed and then learn how to go about defending against them. After all if you want peace, study war...

As far as the Attacks go, we find information on:

  • XS-Search
  • postMessage Broadcasts
  • Frame Counting
  • Error Events etc

As far as the defensive measures go we find information on:

  • Cross-Origin Read Blocking
  • Strict Isolation Policy
  • Framing Protections,
  • SameSite Cookies
  • Cross-Origin-Opener-Policy
  • Cache Protections etc

Saying that, it's not your average information on XSS. The information here is specialized and mostly targets security developers. If on the other hand you are a "simple" developer who needs to understand XSS in layman's terms then it's better to opt for one of the resources I have outlined in the past ih:

XSS Hunter For Pentesting

Hacksplaining - Learn Through Hacking

 

More Information

XS-Leaks Wiki 

Related Articles

Sharpen Your Hacking Skills With CTFLearn

Carnegie Mellon CyLab Challenge: Learn Hacking At School

Tactical Pentesting With Burp Suite

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on, Twitter, Facebook or Linkedin.

Banner


Apache Gobblin Reaches Top Level Status
23/02/2021

Apache has announced that Gobblin, an open-source distributed data integration framework for making big data integration simpler, has reached top-level project status.



Rust Team Announces Rust Foundation
11/02/2021

The Rust Core team has announced the start of the active life of the Rust Foundation, a new independent non-profit organization to steward the Rust programming language and ecosystem. A major focus wi [ ... ]


More News

square

 



 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Thursday, 21 January 2021 )