Scripted Henchmen: Leveraging XS-Leaks for Cross-Site Vulnerability Detection

Abstract

The key security principle that browsers adhere to, such as the same-origin policy and site isolation, ensure that when visiting a potentially untrusted website, the web page is loaded in an isolated environment. These security measures aim to prevent a malicious site from extracting information about cross-origin resources. However, in recent years, several techniques have been discovered that leak potentially sensitive information from responses sent by other sites. In this paper, we show that these XS-Leaks can be used to force an unwitting visitor to detect prevalent web vulnerabilities in other websites during a visit to a malicious web page. This lets an adversary leverage the computing and network resources of visitors and send malicious requests from a large variety of trustworthy IP addresses originating from residential networks. Finally, we find that currently deployed security measures are inadequate to thwart the realistic threat of cross-origin vulnerability detection.