cross origin state inference cosi attacks your browser is
play

Cross-Origin State Inference (COSI) Attacks: Your Browser is Leaking - PowerPoint PPT Presentation

Feb 12, 2024 •215 likes •767 views

Cross-Origin State Inference (COSI) Attacks: Your Browser is Leaking Your Secrets Avinash Sudhodanan Soheil Khodayari Juan Caballero 24/02/2020, NDSS 2020 COSI Attack A malicious web site infers the state of a user (the victim) at another web

  1. Cross-Origin State Inference (COSI) Attacks: Your Browser is Leaking Your Secrets Avinash Sudhodanan Soheil Khodayari Juan Caballero 24/02/2020, NDSS 2020

  2. COSI Attack A malicious web site infers the state of a user (the victim) at another web site Alice (victim) 2

  3. COSI Attack A malicious web site infers the state of a user (the victim) at another web site Alice (victim) Web Browser 3

  4. COSI Attack A malicious web site infers the state of a user (the victim) at another web site foo.hotcrp.com Alice (victim) Web Browser 4

  5. COSI Attack A malicious web site infers the state of a user (the victim) at another web site foo.hotcrp.com Paper Paper Alice #278 #997 (victim) Web Browser 5

  6. COSI Attack A malicious web site infers the state of a user (the victim) at another web site foo.hotcrp.com Paper Paper Alice #278 #997 (victim) Malice (Attacker) Web Browser 6

  7. COSI Attack A malicious web site infers the state of a user (the victim) at another web site foo.hotcrp.com Paper Paper Alice #278 #997 (victim) Malice (Attacker) Web Browser 7

  8. COSI Attack A malicious web site infers the state of a user (the victim) at another web site foo.hotcrp.com Paper Paper Alice #278 #997 (victim) Hi Alice, Click here to finalize Malice your reviews for FOO (Attacker) con Web Browser 8

  9. COSI Attack A malicious web site infers the state of a user (the victim) at another web site foo.hotcrp.com Paper Paper Alice #278 #997 (victim) mal-site.com Hi Alice, Click here to finalize Malice your reviews for FOO (Attacker) con Web Browser 9

  10. COSI Attack A malicious web site infers the state of a user (the victim) at another web site foo.hotcrp.com Paper Paper Alice infer state #278 #997 (victim) mal-site.com Hi Alice, Click here to finalize Malice your reviews for FOO (Attacker) con Web Browser 10

  11. COSI Attack A malicious web site infers the state of a user (the victim) at another web site foo.hotcrp.com What does it mean by inferring Paper Paper state at foo.hotcrp.com Alice infer state #278 #997 (victim) mal-site.com Hi Alice, Click here to finalize Malice your reviews for FOO (Attacker) con Web Browser 11

  12. States foo.hotcrp.com mal-site.com COSI Attack: infer state ● Attacker’s goal: infer states ● Known by different names Alice (victim) Web Browser Login Detection, Login Logged In Logged Out Login Oracle Account Type Reviewer Author Admin Owns a review of Does not own a review of Content Ownership paper #278 paper #278 Owns the account Does not own the account Account Ownership Deanonymization user217 user217 12

  13. State-dependent URLs (SD-URLs) URLs returning different responses depending on the requesting browser’s state SD-URL : https://foo.hotcrp.com/api.php/review?p=278 13

  14. State-dependent URLs (SD-URLs) URLs returning different responses depending on the requesting browser’s state SD-URL : https://foo.hotcrp.com/api.php/review?p=278 State Response 14

  15. State-dependent URLs (SD-URLs) URLs returning different responses depending on the requesting browser’s state SD-URL : https://foo.hotcrp.com/api.php/review?p=278 State Response Logged In Reviewer Reviews paper #278 15

  16. State-dependent URLs (SD-URLs) URLs returning different responses depending on the requesting browser’s state SD-URL : https://foo.hotcrp.com/api.php/review?p=278 State Response code = 200 Logged In Reviewer Reviews paper #278 16

  17. State-dependent URLs (SD-URLs) URLs returning different responses depending on the requesting browser’s state SD-URL : https://foo.hotcrp.com/api.php/review?p=278 State Response code = 200 Logged In Reviewer Reviews paper #278 code = 403 Logged In Reviewer Not review paper #278 17

  18. State-dependent URLs (SD-URLs) foo.hotcrp.com mal-site.com infer state foo.hotcrp.com/api.php/review?p=278 State-dependent response SOP Alice (victim) foo.hotcrp.com Web Browser SD-URL : https://foo.hotcrp.com/api.php/review?p=278 State Response code = 200 Logged In Reviewer Reviews paper #278 code = 403 Logged In Reviewer Not review paper #278 18

  19. XS-Leaks Browser side-channels for inferring the response of cross-origin requests Leak Type References Events-Fired [Grossman2006Blog, Goethem2015CCS, Cardwell2011Blog, ..] Object-Properties [Grossman2012Blog, Schwenk2017USENIX, Masas2018Blog..] JS-Error [Grossman2006Blog, Shiflett2006Blog] CSS-Properties [Evans2008Blog] CSP-Violation [Homakov2013Blog, Gulyas2018WPES] Timing [Bortz2007WWW, Evans2009Blog, Goethem2015CCS, ..] AppCache [Lee2015NDSS] 19

  20. Events Fired XS-Leak foo.hotcrp.com mal-site.com <embed infer state foo.hotcrp.com/api.php/review?p=278 src= SD-URL onload=revwr() code = 200 Alice (victim) onerror=notRevwr() > foo.hotcrp.com Web Browser SD-URL : https://foo.hotcrp.com/api.php/review?p=278 State Response code = 200 Logged In Reviewer Reviews paper #278 code = 403 Logged In Reviewer Not review paper #278 20

  21. Events Fired XS-Leak foo.hotcrp.com mal-site.com <embed infer state foo.hotcrp.com/api.php/review?p=278 src= SD-URL onload=revwr() code = 403 Alice (victim) onerror=notRevwr() > foo.hotcrp.com Web Browser SD-URL : https://foo.hotcrp.com/api.php/review?p=278 State Response code = 200 Logged In Reviewer Reviews paper #278 code = 403 Logged In Reviewer Not review paper #278 21

  22. Multiple States, Same Response SD-URL : https://foo.hotcrp.com/api.php/review?p=278 State Response code = 200 Logged In Reviewer Reviews paper #278 code = 403 Logged In Reviewer Not review paper #278 22

  23. Multiple States, Same Response SD-URL : https://foo.hotcrp.com/api.php/review?p=278 State Response code = 200 Logged In Reviewer Reviews paper #278 code = 403 Logged In Reviewer Not review paper #278 code = 200 Logged Out 23

  24. Multiple States, Same Response foo.hotcrp.com mal-site.com <embed infer state foo.hotcrp.com/api.php/review?p=278 src= SD-URL onload=revwr() Response Alice (victim) onerror=notRevwr() > foo.hotcrp.com Web Browser SD-URL : https://foo.hotcrp.com/api.php/review?p=278 State Response code = 200 Logged In Reviewer Reviews paper #278 code = 403 Logged In Reviewer Not review paper #278 code = 200 Logged Out 24

  25. Same Attack Payload, Browser-specific Behavior The same XS-Leak payload may work differently on different browsers foo.hotcrp.com mal-site.com <embed infer state foo.hotcrp.com/api.php/review?p=278 src= SD-URL onload=revwr() 200 Alice (victim) onerror=notRevwr() > foo.hotcrp.com foo.hotcrp.com mal-site.com <link infer state foo.hotcrp.com/api.php/review?p=278 href= SD-URL onload=revwr() 200 onerror=notRevwr() Alice (victim) rel = stylesheet> foo.hotcrp.com 25

  26. Attack Classes 26

  27. Attack Classes Name : 27

  28. Attack Classes Name SD-URL Responses Response A Response B : 28

  29. Attack Classes Name SD-URL Responses XS-Leak Response A Response B Inclusion Manifest. : 29

  30. Attack Classes Name SD-URL Responses XS-Leak Browser Support Response A Response B Inclusion Manifest. Chrome Firefox Edge : 30

  31. Attack Classes Name SD-URL Responses XS-Leak Browser Support Response A Response B Inclusion Manifest. Chrome Firefox Edge ✓ ✓ ✓ EF- code = 200 code = 4xx || 5xx <script> onload / StatusErro content-type = onerror rScript text/javascript : 31

  32. Attack Classes Name SD-URL Responses XS-Leak Browser Support Response A Response B Inclusion Manifest. Chrome Firefox Edge ✓ ✓ ✓ EF- code = 200 code = 4xx || 5xx <script> onload / StatusErro content-type = onerror rScript text/javascript : 32

  33. Attack Classes Name SD-URL Responses XS-Leak Browser Support Response A Response B Inclusion Manifest. Chrome Firefox Edge ✓ ✓ ✓ EF- code = 200 code = 4xx || 5xx <script> onload / StatusErro content-type = onerror rScript text/javascript ● 40 attack classes ● 21 new attack classes ● 1 completely novel XS-Leak (based on postMessage API) 33

  34. New XS-Leak: postMessage broadcasts ● SD-URL property State Response A Broadcasts message “x” B Broadcasts message “y” foo.hotcrp.com mal-site.com infer state window.open(SDURL) Alice (victim) 34

  35. New XS-Leak: postMessage broadcasts ● SD-URL property State Response A Broadcasts message “x” B Broadcasts message “y” foo.hotcrp.com mal-site.com mal-site.com infer state window.open(SDURL) postmessage(“x”, *) Alice (victim) 35

  36. New XS-Leak: postMessage broadcasts ● SD-URL property State Response A Broadcasts message “x” B Broadcasts message “y” foo.hotcrp.com mal-site.com mal-site.com infer state window.open(SDURL) state = A if rcvMsg === “x”{ postmessage(“x”, *) state = “A” Alice (victim) } 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

I Know Where Youve Been: ! Geo-Inference Attacks via the Browser Cache ! Yaoqi Jia Yaoqi Jia

I Know Where Youve Been: ! Geo-Inference Attacks via the Browser Cache ! Yaoqi Jia Yaoqi Jia

I Know Where Youve Been: ! Geo-Inference Attacks via the Browser Cache ! Yaoqi Jia Yaoqi Jia , Xinshu Dong , Zhenkai Liang , Prateek Saxena ! School of Computing, National University of Singapore ! Advanced Digital

496 views • 28 slides
WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &amp;

WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &amp;

WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &amp; Defenses 2 Server-side woes Browser mechanisms: Same origin SQL injection Cross-domain request XSS overview Content

738 views • 50 slides
2007 Self morphing viruses 2009 - The Zeus virus Man in the browser attacks no

2007 Self morphing viruses 2009 - The Zeus virus Man in the browser attacks no

2007 Self morphing viruses 2009 - The Zeus virus Man in the browser attacks no browser is safe 2011 300% increase in cyber attacks Who they are Why they do it Who are the targets Our filter processes 3 billion

407 views • 17 slides
Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems Browser same origin policy Key security principle: a web browser permits scripts contained in a first web page to access data in a second web page,

358 views • 22 slides
Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems Browser same origin policy Key security principle: a web browser permits scripts contained in a first web page to access data in a second web page,

1.12k views • 25 slides
Understanding and Combating Man-in-the- Browser Attacks 22 nd Annual FIRST Conference 16 June

Understanding and Combating Man-in-the- Browser Attacks 22 nd Annual FIRST Conference 16 June

Understanding and Combating Man-in-the- Browser Attacks 22 nd Annual FIRST Conference 16 June 2010 Jason Milletary Topics What is a Man-in-the-Browser Attack? How are they used? How can I identify and mitigate when they are

207 views • 18 slides
Corey Clark PhD Daniel Montgomery Web Dev Platform Cross Cross Platform Browser HTML5 Web

Corey Clark PhD Daniel Montgomery Web Dev Platform Cross Cross Platform Browser HTML5 Web

Corey Clark PhD Daniel Montgomery Web Dev Platform Cross Cross Platform Browser HTML5 Web Web WebGL Socket Worker Optimized Parallel Hardware Communication Acceleration Processing Channel Web Workers JaHOVA OS Internal APIs

957 views • 38 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application Popular attacks Cross-site

266 views • 15 slides
Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and

Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and

Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube Tabbed Browsing Rich Content Mash-ups Cookies JSON Ajax Implication of Cross Domain Attacks Implication of Cross Domain Attacks

580 views • 31 slides
A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks Jesse

A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks Jesse

A Non-Inclusive Memory Permissions Architecture for Protection Against Cross-Layer Attacks Jesse Elwell 1 Ryan Riley 2 Nael Abu-Ghazaleh 1 Dmitry Ponomarev 1 1 State University of New York at Binghamton Department of Computer Science 2 Qatar

872 views • 76 slides
Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C.

Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C.

Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C. Rossow (1) , F. J. Ryba (2) , T. C. Schmidt (3) , M. Whlisch (2) (1) CISPA / MMCI, Saarland University (2) Freie Universitt Berlin (3) HAW Hamburg

520 views • 36 slides
Agenda Technical background ! Same-Origin Policy ! Compression-based attacks !

Agenda Technical background ! Same-Origin Policy ! Compression-based attacks !

H TTP ! E ncrypted ! I nformation can be ! S tolen through ! T CP-windows by ! Mathy Vanhoef &amp; Tom Van Goethem Agenda Technical background ! Same-Origin Policy ! Compression-based attacks ! SSL/TLS &amp; TCP ! Nitty gritty

804 views • 51 slides
Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and

Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and

Tor website fingerprinting Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and HTTP/2 T.T.N. Marks BSc. K.C.N. Halvemaan BSc. University of Amsterdam System and Network Engineering Research Project #1

664 views • 32 slides
Browser Storage Andrew Sutherland Mozilla DOM Team Current Cross-Browser Storage APIs

Browser Storage Andrew Sutherland Mozilla DOM Team Current Cross-Browser Storage APIs

Browser Storage Andrew Sutherland Mozilla DOM Team Current Cross-Browser Storage APIs Cookies: Synchronous, Strings, Hard Storage Cap LocalStorage: Synchronous, Strings, Hard Storage Cap IndexedDB: Asynchronous, Structured

481 views • 7 slides
Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected

Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected

Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected XSS Persistent XSS Damage done by XSS attacks XSS attacks to befriend with others XSS attacks to change other peoples

3.65k views • 37 slides
Tractable Representations Inference Probabilistic Learning Models Applications Guy Van den

Tractable Representations Inference Probabilistic Learning Models Applications Guy Van den

Tractable Representations Inference Probabilistic Learning Models Applications Guy Van den Broeck University of California, Los Angeles based on a joint UAI-19 tutorial with Antonio Vergari University of California, Los Angeles Nicola Di

1.69k views • 151 slides
Orthogonal Polynomials and Spectral Algorithms Nisheeth K. Vishnoi 1.0 d=0 d=1 0.5 d=5

Orthogonal Polynomials and Spectral Algorithms Nisheeth K. Vishnoi 1.0 d=0 d=1 0.5 d=5

Orthogonal Polynomials and Spectral Algorithms Nisheeth K. Vishnoi 1.0 d=0 d=1 0.5 d=5 1.0 0.5 0.5 1.0 d=4 d=3 0.5 d=2 1.0 FOCS, Oct. 8, 2016 Orthogonal Polynomials -orthogonality Polynomials p ( x ) , q ( x ) are

1.05k views • 83 slides
Status of branch LCG 97 Tao Lin 2020 6 21 1 / 8 Outline Status of External

Status of branch LCG 97 Tao Lin 2020 6 21 1 / 8 Outline Status of External

Status of branch LCG 97 Tao Lin 2020 6 21 1 / 8 Outline Status of External Libraries Update of CEPCSW simulation framework The issue and plan 2 / 8 Upgrade external libraries from 97.0.0 to 97.0.1 In order to use the latest

186 views • 8 slides
Stat 5101 Lecture Slides: Deck 6 Existence of Integrals and Infinite Sums, Countable Additivity

Stat 5101 Lecture Slides: Deck 6 Existence of Integrals and Infinite Sums, Countable Additivity

Stat 5101 Lecture Slides: Deck 6 Existence of Integrals and Infinite Sums, Countable Additivity and Monotone Convergence, Existence of Moments, Correlation Charles J. Geyer School of Statistics University of Minnesota This work is licensed

697 views • 66 slides
Mairbek Chshiev European School on Magnetism Spintronics Conventional spintronics Spin-orbit

Mairbek Chshiev European School on Magnetism Spintronics Conventional spintronics Spin-orbit

Mairbek Chshiev European School on Magnetism Spintronics Conventional spintronics Spin-orbit phenomena -&gt; Spin orbitronics Dzyaloshinskii- Magneto Spin Hall Spin-orbit Rashba Interlayer Spin GMR Spin Transfer Moriya (DMI)

918 views • 73 slides
Decisions on Future Work; Conclusion Moderator: Ivan Herman, W3C Liam Quin, W3C Decisions on

Decisions on Future Work; Conclusion Moderator: Ivan Herman, W3C Liam Quin, W3C Decisions on

Decisions on Future Work; Conclusion Moderator: Ivan Herman, W3C Liam Quin, W3C Decisions on Future Work; Conclusion Who Collaboration between W3C and IDPF, Publishers can have a direct voice by participating; Stakeholders and user

103 views • 7 slides
Reach the World GCDO ADVISORY 2015 Christs Commission make disciples of all

Reach the World GCDO ADVISORY 2015 Christs Commission make disciples of all

Reach the World GCDO ADVISORY 2015 Christs Commission make disciples of all nations (Matt. 28:19) in all the world (Mark 16:15) to all nations (Luke 24:47) unto the uttermost parts of

431 views • 16 slides
Cyber-Physical Systems Serial Communication: I2C, UART &amp; USB ICEN 553/453 Fall 2018

Cyber-Physical Systems Serial Communication: I2C, UART &amp; USB ICEN 553/453 Fall 2018

Cyber-Physical Systems Serial Communication: I2C, UART &amp; USB ICEN 553/453 Fall 2018 Prof. Dola Saha 1 Inter-Integrated Circuit (I2C) Designed for low-cost, medium data rate applications by Philips in the early 1980s Original

693 views • 21 slides

More recommend