A Framework for Testing Web Applications for Cross-Origin State Inference (COSI) Attacks

Resumen

In a Cross-Origin State Inference (COSI) attack, an attacker convinces a victim into visiting an attack web page, which leverages the cross-origin interaction features of the victim's web browser to infer the victim's state at a target web site. COSI attacks can have serious consequences including determining if the victim has an account or is the administrator of a prohibited target site, or if the victim owns sensitive content hosted at the target site. In this paper, we perform the first systematic study of COSI attacks and present the first tool for detecting them. We study the mechanisms behind 25 COSI attacks, classify them into 10 leak methods and 38 attack classes, identify a novel COSI attack class based on window.postMessage, and design a novel approach for detecting COSI attacks. We implement our detection approach into Basta-COSI, a tool that produces attack web pages that demonstrate the existence of COSI attacks in a given target web site. We apply Basta-COSI to four popular stand-alone web applications (GitHub, GitLab, HotCRP, OpenCart) and five live sites, (linkedin.com, blogger.com, amazon.com, drive.google.com, pinterest.com), fnding COSI attacks against each of them. Finally, we discuss the countermeasures that can be taken by browser vendors and site administrators against COSI attacks.