Finding XS-Leaks in Web API Specifications (Bachelor)

Global

Supervision: Lukas Knittel, Dominik Noß

More details:

Description

XS-Leaks are side-channels attacks that allow attacks to infer cross-origin information from the browsers behaviour. For example, an iframe can have two sub-frames when the user is logged in, and three if is not logged in.

Some of those XS-Leaks are already found in the specifications. For example, the Payment API specifies that "a payment handler can restrict the user agent to showing only one payment UI across all browser windows and tabs".

(https://www.w3.org/TR/2020/CR-payment-request-20201203/#using-with-cross-origin-iframes)

The phrase "only one across all windows" has a catch: If a tab can sense that it is forbidden to open a payment UI, it can infer that another tab is currently using it. Voila, XS-Leaks.

W3C offers a list of specifications:

Additionally, the four big ones are HTML, CSS, DOM and JavaScript:

  • html.spec.whatwg.org/
  • dom.spec.whatwg.org
  • www.w3.org/Style/CSS/specs.en.html
  • www.ecma-international.org/

Scope for Bachelor: the w3c web api list.

Scope for Master: the w3c web api spec list and one (1) of the big ones.

Your task is to delve into the many specifications and find all such hidden pitfalls, delivering an aggregated list of possibly novel XS-Leaks.

Requirements

Knowledge on XS-Leaks. Skills in JavaScript, english, web security.