deploy: c4cae9a

docs/attacks/browser-features/corb/index.html

@@ -11,5 +11,5 @@
 <a class=anchor href=#detecting-the-nosniff-header>#</a></h2><p>CORB can also allow attackers to detect when the <code>nosniff</code> header is present in the request. This problem originated due to the fact that CORB is only enforced depending on the presence of this header and some sniffing algorithms. The example below shows two distinguishable states:</p><ol><li>CORB will prevent an attacker page which embeds a resource as a <code>script</code> if the resource is served with <code>text/html</code> as <code>Content-Type</code> along with the <code>nosniff</code> header.</li><li>If the resource does not set <code>nosniff</code> and CORB <a href=https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md#what-types-of-content-are-protected-by-corb>fails</a> to infer the <code>Content-Type</code> of the page (which remains <code>text/html</code>), a <code>SyntaxError</code> will be fired since the contents can&rsquo;t be parsed as valid JavaScript. This error can be caught by listening to <code>window.onerror</code> as <code>script</code> tags only trigger error events under <a href=https://developer.mozilla.org/en-US/docs/Web/API/HTMLScriptElement>certain conditions</a>. <a href=https://xsinator.com/testing.html#CORB%20Leak>Run demo</a></li></ol><h2 id=defense>Defense
 <a class=anchor href=#defense>#</a></h2><table><thead><tr><th style=text-align:center><a href=https://xsleaks.dev/docs/defenses/opt-in/same-site-cookies/>SameSite Cookies (Lax)</a></th><th style=text-align:center><a href=https://xsleaks.dev/docs/defenses/opt-in/coop/>COOP</a></th><th style=text-align:center><a href=https://xsleaks.dev/docs/defenses/opt-in/xfo/>Framing Protections</a></th><th style=text-align:center><a href=https://xsleaks.dev/docs/defenses/isolation-policies/>Isolation Policies</a></th></tr></thead><tbody><tr><td style=text-align:center>✔️</td><td style=text-align:center>❌</td><td style=text-align:center>❌</td><td style=text-align:center><a href=https://xsleaks.dev/docs/defenses/isolation-policies/resource-isolation/>RIP</a> 🔗 <a href=https://xsleaks.dev/docs/defenses/isolation-policies/navigation-isolation/>NIP</a></td></tr></tbody></table><p>🔗 – Defense mechanisms must be combined to be effective against different scenarios.</p><blockquote class="book-hint2 tip"><p class="hint-title tip"><svg class="book-icon"><use href="/svg/hint-icons.svg#tip-notice"/></svg><span>tip</span></p>Developers can deploy <a href=https://xsleaks.dev/docs/defenses/opt-in/corp/>CORP</a> in an application&rsquo;s subresources to force a protection similar to CORB that does not inspect responses to decide when to act. To prevent attackers from abusing this XS-Leak, generic XS-Leaks defense mechanisms are also effective.</blockquote><h2 id=references>References
 <a class=anchor href=#references>#</a></h2><div class=footnotes role=doc-endnotes><hr><ol><li id=fn:1><p>CORB vs side channels, <a href="https://docs.google.com/document/d/1kdqstoT1uH5JafGmRXrtKE4yVfjUVmXitjcvJ4tbBvM/edit?ts=5f2c8004">link</a>&#160;<a href=#fnref:1 class=footnote-backref role=doc-backlink>&#8617;&#xfe0e;</a></p></li></ol></div></p></article><footer class=book-footer><div class="flex flex-wrap justify-between"><div><a class="flex align-center" href=https://github.com/xsleaks/wiki/commit/5a77850b3afcbc399fde4bcb15684476f16b2a27 title='Last modified by NDevTK | November 6, 2022' target=_blank rel=noopener><img src=/svg/calendar.svg class=book-icon alt=Calendar>
-<span>Last Modified: November 6, 2022</span></a></div><div><a class="flex align-center" href=https://github.com/xsleaks/wiki/edit/master/content//docs/attacks/browser-features/corb.md target=_blank rel=noopener><img src=/svg/edit.svg class=book-icon alt=Edit>
+<span>Last Modified: November 6, 2022</span></a></div><div><a class="flex align-center" href=https://github.com/xsleaks/wiki/edit/master/content/docs/attacks/browser-features/corb.md target=_blank rel=noopener><img src=/svg/edit.svg class=book-icon alt=Edit>
 <span>Edit this article</span></a></div></div></footer><div class=book-comments></div><label for=menu-control class="hidden book-menu-overlay"></label></div><aside class=book-toc><nav id=TableOfContents><ul><li><a href=#corb--error-events>CORB & Error Events</a></li><li><a href=#detecting-the-nosniff-header>Detecting the <code>nosniff</code> Header</a></li><li><a href=#defense>Defense</a></li><li><a href=#references>References</a></li></ul></nav></aside></main></body></html>

docs/attacks/browser-features/corp/index.html

@@ -7,5 +7,5 @@
 <label for=toc-control><img src=/svg/toc.svg class=book-icon alt="Table of Contents"></label></div><aside class="hidden clearfix"><nav id=TableOfContents><ul><li><a href=#explanation>Explanation</a></li><li><a href=#defense>Defense</a></li></ul></nav></aside></header><article class=markdown><h1>CORP Leaks</h1><h5>October 1, 2020</h5><p><h2 id=explanation>Explanation
 <a class=anchor href=#explanation>#</a></h2><p><a href=https://xsleaks.dev/docs/defenses/opt-in/corp/>Cross-Origin Resource Policy</a> (CORP) is a web platform security feature that allows websites to prevent certain resources from being loaded by other origins. This protection complements <a href=https://xsleaks.dev/docs/defenses/secure-defaults/corb/>CORB</a> since it is an opt-in defense, whereas CORB blocks some cross-origin reads by default. Unfortunately, similar to <a href=https://xsleaks.dev/docs/attacks/browser-features/corb/>CORB</a>, applications can introduce a new XS-Leak if they misconfigure the use of this protection.</p><p>A webpage will introduce an XS-Leak if <code>CORP</code> is enforced based on user data. If a page search feature enforces <code>CORP</code> when showing results, but doesn&rsquo;t do so when returning no results, an attacker will be able to distinguish the two scenarios. This occurs because a page/resource protected by <code>CORP</code> will return an error when fetched cross-origin. <a href=https://xsinator.com/testing.html#CORP%20Leak>Run demo</a></p><h2 id=defense>Defense
 <a class=anchor href=#defense>#</a></h2><p>An application can avoid this XS-Leak if it guarantees <code>CORP</code> is deployed in all application resources/endpoints. Moreover, generic security mechanisms that allow the invalidation of cross-site requests will also help prevent this attack.</p><table><thead><tr><th style=text-align:center><a href=https://xsleaks.dev/docs/defenses/opt-in/same-site-cookies/>SameSite Cookies (Lax)</a></th><th style=text-align:center><a href=https://xsleaks.dev/docs/defenses/opt-in/coop/>COOP</a></th><th style=text-align:center><a href=https://xsleaks.dev/docs/defenses/opt-in/xfo/>Framing Protections</a></th><th style=text-align:center><a href=https://xsleaks.dev/docs/defenses/isolation-policies/>Isolation Policies</a></th></tr></thead><tbody><tr><td style=text-align:center>✔️</td><td style=text-align:center>❌</td><td style=text-align:center>❌</td><td style=text-align:center><a href=https://xsleaks.dev/docs/defenses/isolation-policies/resource-isolation/>RIP</a> 🔗 <a href=https://xsleaks.dev/docs/defenses/isolation-policies/navigation-isolation/>NIP</a></td></tr></tbody></table><p>🔗 – Defense mechanisms must be combined to be effective against different scenarios.</p></p></article><footer class=book-footer><div class="flex flex-wrap justify-between"><div><a class="flex align-center" href=https://github.com/xsleaks/wiki/commit/5a77850b3afcbc399fde4bcb15684476f16b2a27 title='Last modified by NDevTK | November 6, 2022' target=_blank rel=noopener><img src=/svg/calendar.svg class=book-icon alt=Calendar>
-<span>Last Modified: November 6, 2022</span></a></div><div><a class="flex align-center" href=https://github.com/xsleaks/wiki/edit/master/content//docs/attacks/browser-features/corp.md target=_blank rel=noopener><img src=/svg/edit.svg class=book-icon alt=Edit>
+<span>Last Modified: November 6, 2022</span></a></div><div><a class="flex align-center" href=https://github.com/xsleaks/wiki/edit/master/content/docs/attacks/browser-features/corp.md target=_blank rel=noopener><img src=/svg/edit.svg class=book-icon alt=Edit>
 <span>Edit this article</span></a></div></div></footer><div class=book-comments></div><label for=menu-control class="hidden book-menu-overlay"></label></div><aside class=book-toc><nav id=TableOfContents><ul><li><a href=#explanation>Explanation</a></li><li><a href=#defense>Defense</a></li></ul></nav></aside></main></body></html>

docs/attacks/browser-features/index.html

@@ -3,5 +3,5 @@
 <input type=checkbox class="hidden toggle" id=toc-control><main class="container flex"><aside class=book-menu><nav><h2 class=book-brand><a href=/><span>XS-Leaks Wiki</span></a></h2><div class=book-search><input type=text id=book-search-input placeholder=Search aria-label=Search maxlength=64 data-hotkeys=s/><div class="book-search-spinner hidden"></div><ul id=book-search-results></ul></div><ul><li class=book-section-flat><span>Attacks</span><ul><li><a href=/docs/attacks/xs-search/>XS-Search</a></li><li><a href=/docs/attacks/window-references/>Window References</a></li><li><a href=/docs/attacks/css-tricks/>CSS Tricks</a></li><li><a href=/docs/attacks/error-events/>Error Events</a></li><li><a href=/docs/attacks/frame-counting/>Frame Counting</a></li><li><a href=/docs/attacks/navigations/>Navigations</a></li><li><a href=/docs/attacks/cache-probing/>Cache Probing</a></li><li><a href=/docs/attacks/element-leaks/>Element leaks</a></li><li><a href=/docs/attacks/id-attribute/>ID Attribute</a></li><li><a href=/docs/attacks/postmessage-broadcasts/>postMessage Broadcasts</a></li><li><span>Browser Features</span><ul><li><a href=/docs/attacks/browser-features/corb/>CORB Leaks</a></li><li><a href=/docs/attacks/browser-features/corp/>CORP Leaks</a></li></ul></li><li><span>Timing Attacks</span><ul><li><a href=/docs/attacks/timing-attacks/clocks/>Clocks</a></li><li><a href=/docs/attacks/timing-attacks/network-timing/>Network Timing</a></li><li><a href=/docs/attacks/timing-attacks/performance-api/>Performance API</a></li><li><a href=/docs/attacks/timing-attacks/execution-timing/>Execution Timing</a></li><li><a href=/docs/attacks/timing-attacks/hybrid-timing/>Hybrid Timing</a></li><li><a href=/docs/attacks/timing-attacks/connection-pool/>Connection Pool</a></li></ul></li><li><a href=/docs/attacks/experiments/ class=collapsed>Experiments</a></li><li><a href=/docs/attacks/css-injection/>CSS Injection</a></li><li><a href=/docs/attacks/historical/ class=collapsed>Historical</a></li></ul></li><li class=book-section-flat><a href=/docs/defenses/>Defense Mechanisms</a><ul><li><a href=/docs/defenses/design-protections/>Application Design</a><ul><li><a href=/docs/defenses/design-protections/cache-protections/>Cache Protections</a></li><li><a href=/docs/defenses/design-protections/subresource-protections/>Subresource Protections</a></li></ul></li><li><a href=/docs/defenses/opt-in/>Opt-In Mechanisms</a><ul><li><a href=/docs/defenses/opt-in/fetch-metadata/>Fetch Metadata</a></li><li><a href=/docs/defenses/opt-in/coop/>Cross-Origin-Opener-Policy</a></li><li><a href=/docs/defenses/opt-in/corp/>Cross-Origin-Resource-Policy</a></li><li><a href=/docs/defenses/opt-in/xfo/>Framing Protections</a></li><li><a href=/docs/defenses/opt-in/same-site-cookies/>SameSite Cookies</a></li><li><a href=/docs/defenses/opt-in/document-policies/>Document Policies</a></li></ul></li><li><a href=/docs/defenses/isolation-policies/>Isolation Policies</a><ul><li><a href=/docs/defenses/isolation-policies/resource-isolation/>Resource Isolation Policy</a></li><li><a href=/docs/defenses/isolation-policies/framing-isolation/>Framing Isolation Policy</a></li><li><a href=/docs/defenses/isolation-policies/navigation-isolation/>Navigation Isolation Policy</a></li><li><a href=/docs/defenses/isolation-policies/strict-isolation/>Strict Isolation Policy</a></li></ul></li><li><a href=/docs/defenses/secure-defaults/>Secure Defaults</a><ul><li><a href=/docs/defenses/secure-defaults/corb/>Cross-Origin Read Blocking</a></li><li><a href=/docs/defenses/secure-defaults/partitioned-cache/>Partitioned HTTP Cache</a></li></ul></li></ul></li><li class=book-section-flat><a href=/docs/contributions/>Contributions</a><ul></ul></li></ul></nav><script>(function(){var e=document.querySelector("aside.book-menu nav");addEventListener("beforeunload",function(){localStorage.setItem("menu.scrollTop",e.scrollTop)}),e.scrollTop=localStorage.getItem("menu.scrollTop")})()</script></aside><div class=book-page><header class=book-header><div class="flex align-center justify-between"><label for=menu-control><img src=/svg/menu.svg class=book-icon alt=Menu>
 </label><strong>Browser Features</strong>
 <label for=toc-control><img src=/svg/toc.svg class=book-icon alt="Table of Contents"></label></div><aside class="hidden clearfix"><nav id=TableOfContents></nav></aside></header><article class=markdown></article><footer class=book-footer><div class="flex flex-wrap justify-between"><div><a class="flex align-center" href=https://github.com/xsleaks/wiki/commit/49d4f42bc3ecd098061a23f0263f23bddb39c40c title='Last modified by Manuel Sousa | October 2, 2020' target=_blank rel=noopener><img src=/svg/calendar.svg class=book-icon alt=Calendar>
-<span>Last Modified: October 2, 2020</span></a></div><div><a class="flex align-center" href=https://github.com/xsleaks/wiki/edit/master/content//docs/attacks/browser-features/_index.md target=_blank rel=noopener><img src=/svg/edit.svg class=book-icon alt=Edit>
+<span>Last Modified: October 2, 2020</span></a></div><div><a class="flex align-center" href=https://github.com/xsleaks/wiki/edit/master/content/docs/attacks/browser-features/_index.md target=_blank rel=noopener><img src=/svg/edit.svg class=book-icon alt=Edit>
 <span>Edit this article</span></a></div></div></footer><label for=menu-control class="hidden book-menu-overlay"></label></div><aside class=book-toc><nav id=TableOfContents></nav></aside></main></body></html>

docs/attacks/cache-probing/index.html

@@ -81,5 +81,5 @@
 The protection is ineffective for requests from subdomains and <a href=https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass>window navigations</a></blockquote><h2 id=real-world-example>Real World Example
 <a class=anchor href=#real-world-example>#</a></h2><p>An attacker using <a href=#cache-probing-with-error-events>Error Events Cache Probing</a> was able to detect whether a user watched a specific YouTube Video by checking if the video thumbnail ended up in browser cache <sup id=fnref:4><a href=#fn:4 class=footnote-ref role=doc-noteref>4</a></sup>.</p><h2 id=references>References
 <a class=anchor href=#references>#</a></h2><div class=footnotes role=doc-endnotes><hr><ol><li id=fn:1><p>Timing Attacks on Web Privacy, <a href=http://www.cs.jhu.edu/~fabian/courses/CS600.424/course_papers/webtiming.pdf>link</a>&#160;<a href=#fnref:1 class=footnote-backref role=doc-backlink>&#8617;&#xfe0e;</a></p></li><li id=fn:2><p>HTTP Cache Cross-Site Leaks, <a href=http://sirdarckcat.blogspot.com/2019/03/http-cache-cross-site-leaks.html>link</a>&#160;<a href=#fnref:2 class=footnote-backref role=doc-backlink>&#8617;&#xfe0e;</a></p></li><li id=fn:3><p>CORS misconfiguration, <a href=https://web-in-security.blogspot.com/2017/07/cors-misconfigurations-on-large-scale.html>link</a>&#160;<a href=#fnref:3 class=footnote-backref role=doc-backlink>&#8617;&#xfe0e;</a></p></li><li id=fn:4><p>Mass XS-Search using Cache Attack, <a href=https://terjanq.github.io/Bug-Bounty/Google/cache-attack-06jd2d2mz2r0/index.html#VIII-YouTube-watching-history>link</a>&#160;<a href=#fnref:4 class=footnote-backref role=doc-backlink>&#8617;&#xfe0e;</a></p></li></ol></div></p></article><footer class=book-footer><div class="flex flex-wrap justify-between"><div><a class="flex align-center" href=https://github.com/xsleaks/wiki/commit/4405beed14707dd730e02fe2c825c7924ed08c2b title='Last modified by NDevTK | April 21, 2024' target=_blank rel=noopener><img src=/svg/calendar.svg class=book-icon alt=Calendar>
-<span>Last Modified: April 21, 2024</span></a></div><div><a class="flex align-center" href=https://github.com/xsleaks/wiki/edit/master/content//docs/attacks/cache-probing.md target=_blank rel=noopener><img src=/svg/edit.svg class=book-icon alt=Edit>
+<span>Last Modified: April 21, 2024</span></a></div><div><a class="flex align-center" href=https://github.com/xsleaks/wiki/edit/master/content/docs/attacks/cache-probing.md target=_blank rel=noopener><img src=/svg/edit.svg class=book-icon alt=Edit>
 <span>Edit this article</span></a></div></div></footer><div class=book-comments></div><label for=menu-control class="hidden book-menu-overlay"></label></div><aside class=book-toc><nav id=TableOfContents><ul><li><a href=#attack-principle>Attack Principle</a></li><li><a href=#cache-probing-with-error-events>Cache Probing with Error Events</a><ul><li><a href=#invalidating-the-cache-with-errors>Invalidating the cache with errors</a></li><li><a href=#invalidating-the-cache-without-errors>Invalidating the cache without errors</a></li></ul></li><li><a href=#cors-error-on-origin-reflection-misconfiguration>CORS error on Origin Reflection misconfiguration</a></li><li><a href=#fetch-with-abortcontroller>Fetch with AbortController</a></li><li><a href=#defense>Defense</a></li><li><a href=#real-world-example>Real World Example</a></li><li><a href=#references>References</a></li></ul></nav></aside></main></body></html>