Tom Van Goethem
Tom is a PhD researcher at the university of Leuven in Belgium. In his research, Tom is broadly interested in web security and privacy, and more specifically focuses on uncovering side-channel attacks in the web platform and large-scale security evaluations. This has lead to the discovery of various issues with a wide-spread impact: HEIST, RCE in WordPress, browser-based timing attacks.
For many years, injection-based vulnerabilities such as XSS and SQL-injection have dominated the web security landscape. However, as browsers and applications are becoming increasingly complex, new vulnerability classes surface. One of these new-kids-on-the-block is XSLeaks, a vulnerability class that exploit side-channel leaks in the browser to extract information across origins. In this presentation, I will describe the various types of leaks in different browser features and the network layer, and discuss how these issues can be exploited to extract sensitive information from an unwitting victim. Furthermore, the talk will cover the numerous (new) defenses that need to be adopted in order to safeguard web applications (SameSite cookies, COOP, COEP, ...), and their potential shortcomings. Finally, we will take a peak into the future, and discuss how XSLeaks will likely evolve in the coming months and years.