‘This should be in the OWASP Top 10 in 2025’

The deanonymization capabilities of cross-site leak (XS-Leak) attacks once again came to the fore this week, as security researchers published details of two new methods that can be used to expose user information.

XS-Leak refers to a family of browser side-channel techniques that can be used to infer and gather information about users, often based upon network timing of the responses.

Back in 2007, a team of researchers from Stanford University published a white paper (PDF) demonstrating how it was possible to obtain information about surfers by analyzing the time a website took to respond to HTTP requests.

Two years later, researcher Chris Evans explained how it was possible to time the response of a site to figure out if a user is logged in to another service (in this particular case, Yahoo! Mail), and introducing the concept of cross-site search (XS-Search).

Browser side-channel

XS-Leak attacks are used to gather information on visitors to websites that would not normally be available.

Any website can execute JavaScript on a user’s browser, but the same-origin policy prevents malicious sites from, for example, reading a user’s Gmail inbox or doing nefarious things on other browser tabs.

Likewise, sites can embed content from external sources – such as iframes related to Facebook, or YouTube videos – without giving the host site the ability to read the content or view user interaction.

XS-Leak attacks attempt to circumvent these security controls by analyzing response times and other factors in order to infer user data.

For example, a site could embed a Facebook image that only members of a specific group have permission to view. The onload event would fire for those who can view the image, gaining information on a visitor in the process.

Cache and Object

Cross-site search remains the most common implementation of XS-Leak attacks. But, as can be seen in the XS-Leaks wiki, research into this field is much broader.

Adding to this growing corpus of browser-based side-channel techniques comes work by Eduardo Vela, who this week published insight into what he calls ‘HTTP Cache Cross-Site Leaks’.

This variation on an XS-Leak attack involves deleting the HTTP cache for a specific resource before forcing the browser to render a website and, finally, checking if the browser cached the resource that was originally deleted.

This allows an attacker to figure out if a website loads a specific resource (such as an image, script, or stylesheet) or not. This can result in identifying a user or disclosing which people they send emails to, for example.

Separately, Polish researcher @terjanq wrote a Medium post demonstrating how the HTML <object> element could be leveraged to leak user information.

“As the result of combining the simulated <object>.onload event with detection of the <object> rendering, we’ve got a complete brand new technique for cross-origin content and status types detection,” the researcher said.

“And with that, it’s safe to say that the method proudly joins the XS-Leaks family.”

Normally it isn’t possible to detect the content type of a cross domain response but, as the researcher demonstrated, this information can be obtained with an HTML5 attribute typemustmatch and the object tag.

One to watch

Research in the field of cross-site leak attacks is ongoing. And while the true potential of these side-channel techniques is perhaps yet to be realized, XS-Leak is firmly on the radar of both OWASP (PDF) and browser makers such as Google.

Following the publication of these two latest methodologies, Google web security researcher Krzysztof Kotowicz said XS-Search may soon mark its ascension to the OWASP Top 10.

“XS-Search is what the web platform security will struggle with after we fix the more popular problems like XSS,” Kotowicz tweeted this week.

“This should be in OWASP Top 10 [in] 2025 when we actually know what to do with it. I don’t think all realize yet how serious the issue is.”


RELATED Cross-site search attack applied to snoop on Google’s bug tracker