Skip to main content

2020 | OriginalPaper | Buchkapitel

Cross-Site Search Attacks: Unauthorized Queries over Private Data

verfasst von : Bar Meyuhas, Nethanel Gelernter, Amir Herzberg

Erschienen in: Cryptology and Network Security

Verlag: Springer International Publishing

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

Cross-site search attacks allow a rogue website to expose private, sensitive user-information from web applications. The attacker exploits timing and other side channels to extract the information, using cleverly-designed cross-site queries.
In this work, we present a systematic approach to the study of cross-site search attacks. We begin with a comprehensive taxonomy, clarifying the relationships between different types of cross-site search attacks, as well as relationships to other attacks. We then present, analyze, and compare cross-site search attacks; We present new attacks that have improved efficiency and can circumvent browser defenses, and compare to already-published attacks. We developed and present a reproducibility framework, which allows study and evaluation of different cross-site attacks and defenses.
We also discuss defenses against cross-site search attacks, for both browsers and servers. We argue that server-based defenses are essential, including restricting cross-site search requests.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Literatur
1.
Zurück zum Zitat Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the Conference on Computer and Communications Security (2008) Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the Conference on Computer and Communications Security (2008)
2.
Zurück zum Zitat Bortz, A., Boneh, D.: Exposing private information by timing web applications. In: Proceedings of the 16th International Conference on World Wide Web, pp. 621–628. ACM (2007) Bortz, A., Boneh, D.: Exposing private information by timing web applications. In: Proceedings of the 16th International Conference on World Wide Web, pp. 621–628. ACM (2007)
13.
Zurück zum Zitat Gelernter, N., Herzberg, A.: Cross-site search attacks. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1394–1405. ACM (2015) Gelernter, N., Herzberg, A.: Cross-site search attacks. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1394–1405. ACM (2015)
14.
Zurück zum Zitat Gelernter, N., Herzberg, A.: Tell me about yourself: the malicious captcha attack. In: Proceedings of the 25th International Conference on World Wide Web, pp. 999–1008. International World Wide Web Conferences Steering Committee (2016) Gelernter, N., Herzberg, A.: Tell me about yourself: the malicious captcha attack. In: Proceedings of the 25th International Conference on World Wide Web, pp. 999–1008. International World Wide Web Conferences Steering Committee (2016)
18.
Zurück zum Zitat Heiderich, M., Niemietz, M., Schuster, F., Holz, T., Schwenk, J.: Scriptless attacks: stealing the pie without touching the sill. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 760–771. ACM (2012) Heiderich, M., Niemietz, M., Schuster, F., Holz, T., Schwenk, J.: Scriptless attacks: stealing the pie without touching the sill. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 760–771. ACM (2012)
19.
Zurück zum Zitat Huang, L.S., Moshchuk, A., Wang, H.J., Schecter, S., Jackson, C.: Clickjacking: attacks and defenses. In: Presented as Part of the 21st \(\{\)USENIX\(\}\) Security Symposium, \(\{\)USENIX\(\}\) Security 2012, pp. 413–428 (2012) Huang, L.S., Moshchuk, A., Wang, H.J., Schecter, S., Jackson, C.: Clickjacking: attacks and defenses. In: Presented as Part of the 21st \(\{\)USENIX\(\}\) Security Symposium, \(\{\)USENIX\(\}\) Security 2012, pp. 413–428 (2012)
25.
Zurück zum Zitat Song, D.: Timing analysis of keystrokes and SSH timing attacks. In: Proceedings of 10th USENIX Security Symposium (2001) Song, D.: Timing analysis of keystrokes and SSH timing attacks. In: Proceedings of 10th USENIX Security Symposium (2001)
26.
Zurück zum Zitat Van Goethem, T., Vanhoef, M., Piessens, F., Joosen, W.: Request and conquer: exposing cross-origin resource size. In: 25th \(\{\)USENIX\(\}\) Security Symposium, \(\{\)USENIX\(\}\) Security 2016, pp. 447–462 (2016) Van Goethem, T., Vanhoef, M., Piessens, F., Joosen, W.: Request and conquer: exposing cross-origin resource size. In: 25th \(\{\)USENIX\(\}\) Security Symposium, \(\{\)USENIX\(\}\) Security 2016, pp. 447–462 (2016)
27.
Zurück zum Zitat Zalewski, M.: The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press, San Francisco (2012) Zalewski, M.: The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press, San Francisco (2012)
28.
Zurück zum Zitat Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-tenant side-channel attacks in PaaS clouds. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 990–1003 (2014) Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-tenant side-channel attacks in PaaS clouds. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 990–1003 (2014)
Metadaten
Titel
Cross-Site Search Attacks: Unauthorized Queries over Private Data
verfasst von
Bar Meyuhas
Nethanel Gelernter
Amir Herzberg
Copyright-Jahr
2020
DOI
https://doi.org/10.1007/978-3-030-65411-5_3