Help, my browser is leaking! Exploring XSLeaks attacks and defenses
2020-09-03, 16:00–16:40, Main stream

For many years, injection-based vulnerabilities such as XSS and SQL-injection have dominated the web security landscape. However, as browsers and applications are becoming increasingly complex, new vulnerability classes surface. One of these new-kids-on-the-block is XSLeaks, a vulnerability class that exploit side-channel leaks in the browser to extract information across origins. In this presentation, I will describe the various types of leaks in different browser features and the network layer, and discuss how these issues can be exploited to extract sensitive information from an unwitting victim. Furthermore, the talk will cover the numerous (new) defenses that need to be adopted in order to safeguard web applications (SameSite cookies, COOP, COEP, ...), and their potential shortcomings. Finally, we will take a peak into the future, and discuss how XSLeaks will likely evolve in the coming months and years.


This talk will mainly focus on XSLeaks, a topic that is becoming more and more popular within the web security community (taking the 2nd place of the top-10 web hacking techniques of 2019 - https://portswigger.net/research/top-10-web-hacking-techniques-of-2019). The talk will be centred on the issues that I have discovered during my research (revealing the size of cross-origin resources and their consequences), but will also include many references to work by others in order to paint the full picture (both in terms of creating a taxonomy for the different types of leaks, as well as showing examples how XSLeaks can be exploited in the real-world) and extract more general insights on XSLeaks.

Tom is a PhD researcher at the university of Leuven in Belgium. In his research, Tom is broadly interested in web security and privacy, and more specifically focuses on uncovering side-channel attacks in the web platform and large-scale security evaluations. This has lead to the discovery of various issues with a wide-spread impact: HEIST, RCE in WordPress, browser-based timing attacks.