Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks
In a Cross-Origin State Inference (COSI) attack, an attacker convinces a victim into visiting an attack web page, which leverages the cross-origin interaction features of the victim's web browser to infer the victim's state at a target web site. COSI attacks can have serious consequences including determining if the victim has an account or is the administrator of a prohibited target site, determining if the victim owns sensitive content or is the owner of a specific account at the target site. While COSI attacks are not new, they have previously been considered as sparse attacks under different names. This paper is the first to systematically study COSI attacks as a comprehensive category and to present a tool for detecting COSI attacks. We introduce the concept of a COSI attack class to capture related attack variants and identify 39 COSI attack classes, of which 22 are new, and the rest generalize existing attacks. We discover a novel XS-Leak based on window.postMessage. We design a novel approach to detect COSI attacks, and implement it into Basta-COSI, a tool that produces attack web pages that demonstrate the existence of COSI attacks in a target web site. We apply Basta-COSI to four popular stand-alone web applications and six popular live sites, finding COSI attacks against each of them. Finally, we discuss defenses against COSI attacks.
READ FULL TEXT