#Learn365 Day-6: Cross-Site Leaks

Goldmine to Learn: https://t.co/TsqGRWxPq7

Cross-Site Leaks/XS-Leaks is a less explored security issue that usually comes from Side-Channel Attacks. I found this an interesting vector but unusual.

(1/n)

#BugBountyTips #infosec #AppSec

(2/n)
This basically utilizes the web's core principle of composability in order to determine & extract useful information.

XS-Leaks take advantage of small pieces of information that are exposed during interactions between websites.
(3/n)
Cross-Site Oracle.

This can be considered as a querying mechanism. The information used for this attack is of binary form and called Oracles. It usually has an answer of "Yes" or "No". You can say True or False.
(4/n)
For Example: Does User Harsh Exists in the Application. Yes, means that the user is there in the application.
- An attacker requires to smartly form queries in order to successfully execute this attack and gain hold of sensitive information.
(5/n)
Some of the Attacks using Cross-Site leaks are:

1. XS-Search: An attacker try to abuse the query mechanism such as search functionality to leak and get hold of the user's information.

Remediation
- Same Site Lax Cookies
(6/n)
Usual Exploitation Workflow:

1. Define a timeline when there is a Hit vs Miss
2. Start attacking the Querying Endpoint.
3. For Example: ?search=h (Throws a Hit)
search for the next word appended to `h` i.e. ?search=ha otherwise change the word i.e. ?search=b
(7/n)
2. Error Events

Based on the Error Message returned by the application, it may be possible to enumerate sensitive information. This is similar to user enumeration techniques.

Reference: https://t.co/2iIVT0xei2
(8/n)
3. Frame Counting
The window.length provides the number of frames in the window. This attribute can provide valuable information about a page to an attacker.

References: https://t.co/XjOZL3yiZF
(9/n)
3. Navigation Attacks
Reference: https://t.co/lS3LT80Foa

4. Cache Probing
- Workes based on detecting whether the web page was cached or not.
Ref: https://t.co/ejAdOHaIFG

5. ID Attribute
Ref: https://t.co/11lwLzE2DD
(10/n)

6. Post Message Broadcasts
a. Sharing Sensitive message with untrusted origins
b. Leaking information based on varying content or on the presence of a broadcast

7. Abusing Browser Features
- CORB (Cross-Origin Read Blocking)
- CORP (Cross-Origin Resource Policy)
(n/n)

8. Timing Attacks
- Clock Based
- Network Timing
- Execution Timing
- Hybrid Timing
- Connection Pool

# Referneces
1. https://t.co/byryqh3bql
2. https://t.co/khunvHYDga
3. https://t.co/ssQ39okO55

I'll revisit this attack in near future & will try to find.

More from For later read

Wow, Morgan McSweeney again, Rachel Riley, SFFN, Center for Countering Digital Hate, Imran Ahmed, JLM, BoD, Angela Eagle, Tracy-Ann Oberman, Lisa Nandy, Steve Reed, Jon Cruddas, Trevor Chinn, Martin Taylor, Lord Ian Austin and Mark Lewis. #LabourLeaks #StarmerOut 24 tweet🧵

Morgan McSweeney, Keir Starmer’s chief of staff, launched the organisation that now runs SFFN.
The CEO Imran Ahmed worked closely with a number of Labour figures involved in the campaign to remove Jeremy as leader.

Rachel Riley is listed as patron.
https://t.co/nGY5QrwBD0


SFFN claims that it has been “a project of the Center For Countering Digital Hate” since 4 May 2020. The relationship between the two organisations, however, appears to date back far longer. And crucially, CCDH is linked to a number of figures on the Labour right. #LabourLeaks

Center for Countering Digital Hate registered at Companies House on 19 Oct 2018, the organisation’s only director was Morgan McSweeney – Labour leader Keir Starmer’s chief of staff. McSweeney was also the campaign manager for Liz Kendall’s leadership bid. #LabourLeaks #StarmerOut

Sir Keir - along with his chief of staff, Morgan McSweeney - held his first meeting with the Jewish Labour Movement (JLM). Deliberately used the “anti-Semitism” crisis as a pretext to vilify and then expel a leading pro-Corbyn activist in Brighton and Hove
Every single public defender. Every single day.


Bail arguments, motions, oral arguments, hearings. Judges don’t know, follow, or care about the law. Prosecutors are willing to take advantage of it. And mandatory minimums, withheld evidence, & pretrial detention coerces people to plead before trial. When theres a jury. A shot.

But defenders still fight. And still win. Most times wins aren’t “Justice.” It’s power of repetition of argument in front of same judges. Introducing those in power to the people they oppress. Not just a RAP sheet or words on a page. Defenders make it harder to be brutal & cruel.

I worked as a public defender at an office as well resourced as any in the country. Social workers, team of investigators, a reentry team, support staff, specialist attorneys in immigration, housing, education, family. Relatively low caseloads (80-100). And yet still injustice.

Most think that balancing the scales of justice means more funding for defenders. Thats part of it. Enough a attorneys to actually be at bail hearings. Wrap around services to be able to help people trapped in the system end up better off in their communities. Lower caseloads.

You May Also Like