#Learn365 Day-6: Cross-Site Leaks

Goldmine to Learn: https://t.co/TsqGRWxPq7

Cross-Site Leaks/XS-Leaks is a less explored security issue that usually comes from Side-Channel Attacks. I found this an interesting vector but unusual.

(1/n)

#BugBountyTips #infosec #AppSec

(2/n)
This basically utilizes the web's core principle of composability in order to determine & extract useful information.

XS-Leaks take advantage of small pieces of information that are exposed during interactions between websites.
(3/n)
Cross-Site Oracle.

This can be considered as a querying mechanism. The information used for this attack is of binary form and called Oracles. It usually has an answer of "Yes" or "No". You can say True or False.
(4/n)
For Example: Does User Harsh Exists in the Application. Yes, means that the user is there in the application.
- An attacker requires to smartly form queries in order to successfully execute this attack and gain hold of sensitive information.
(5/n)
Some of the Attacks using Cross-Site leaks are:

1. XS-Search: An attacker try to abuse the query mechanism such as search functionality to leak and get hold of the user's information.

Remediation
- Same Site Lax Cookies
(6/n)
Usual Exploitation Workflow:

1. Define a timeline when there is a Hit vs Miss
2. Start attacking the Querying Endpoint.
3. For Example: ?search=h (Throws a Hit)
search for the next word appended to `h` i.e. ?search=ha otherwise change the word i.e. ?search=b
(7/n)
2. Error Events

Based on the Error Message returned by the application, it may be possible to enumerate sensitive information. This is similar to user enumeration techniques.

Reference: https://t.co/2iIVT0xei2
(8/n)
3. Frame Counting
The window.length provides the number of frames in the window. This attribute can provide valuable information about a page to an attacker.

References: https://t.co/XjOZL3yiZF
(9/n)
3. Navigation Attacks
Reference: https://t.co/lS3LT80Foa

4. Cache Probing
- Workes based on detecting whether the web page was cached or not.
Ref: https://t.co/ejAdOHaIFG

5. ID Attribute
Ref: https://t.co/11lwLzE2DD
(10/n)

6. Post Message Broadcasts
a. Sharing Sensitive message with untrusted origins
b. Leaking information based on varying content or on the presence of a broadcast

7. Abusing Browser Features
- CORB (Cross-Origin Read Blocking)
- CORP (Cross-Origin Resource Policy)
(n/n)

8. Timing Attacks
- Clock Based
- Network Timing
- Execution Timing
- Hybrid Timing
- Connection Pool

# Referneces
1. https://t.co/byryqh3bql
2. https://t.co/khunvHYDga
3. https://t.co/ssQ39okO55

I'll revisit this attack in near future & will try to find.

More from For later read

You May Also Like

Fake chats claiming to be from the Irish African community are being disseminated by the far right in order to suggest that violence is imminent from #BLM supporters. This is straight out of the QAnon and Proud Boys playbook. Spread the word. Protest safely. #georgenkencho


There is co-ordination across the far right in Ireland now to stir both left and right in the hopes of creating a race war. Think critically! Fascists see the tragic killing of #georgenkencho, the grief of his community and pending investigation as a flashpoint for action.


Across Telegram, Twitter and Facebook disinformation is being peddled on the back of these tragic events. From false photographs to the tactics ofwhite supremacy, the far right is clumsily trying to drive hate against minority groups and figureheads.


Declan Ganley’s Burkean group and the incel wing of National Party (Gearóid Murphy, Mick O’Keeffe & Co.) as well as all the usuals are concerted in their efforts to demonstrate their white supremacist cred. The quiet parts are today being said out loud.


The best thing you can do is challenge disinformation and report posts where engagement isn’t appropriate. Many of these are blatantly racist posts designed to drive recruitment to NP and other Nationalist groups. By all means protest but stay safe.
A brief analysis and comparison of the CSS for Twitter's PWA vs Twitter's legacy desktop website. The difference is dramatic and I'll touch on some reasons why.

Legacy site *downloads* ~630 KB CSS per theme and writing direction.

6,769 rules
9,252 selectors
16.7k declarations
3,370 unique declarations
44 media queries
36 unique colors
50 unique background colors
46 unique font sizes
39 unique z-indices

https://t.co/qyl4Bt1i5x


PWA *incrementally generates* ~30 KB CSS that handles all themes and writing directions.

735 rules
740 selectors
757 declarations
730 unique declarations
0 media queries
11 unique colors
32 unique background colors
15 unique font sizes
7 unique z-indices

https://t.co/w7oNG5KUkJ


The legacy site's CSS is what happens when hundreds of people directly write CSS over many years. Specificity wars, redundancy, a house of cards that can't be fixed. The result is extremely inefficient and error-prone styling that punishes users and developers.

The PWA's CSS is generated on-demand by a JS framework that manages styles and outputs "atomic CSS". The framework can enforce strict constraints and perform optimisations, which is why the CSS is so much smaller and safer. Style conflicts and unbounded CSS growth are avoided.