XS-Leak

Cross-Site Leaks (XS-Leaks) are side-channel vulnerabilities allowing attackers to infer sensitive information from a target origin without reading the response body. They exploit browser behaviors, timing differences, and observable side effects rather than traditional XSS data exfiltration.

Summary

Tools
Methodology
- Attack Primitives
- XS-Search
Cross-site Oracles
Labs
References

Tools

RUB-NDS/xsinator.com - XS-Leak Browser Test Suite.
RUB-NDS/AutoLeak - Find XS-Leaks in the browser by diffing DOM-Graphs in two states.

Methodology

Attack Primitives

Unlike classic CORS or XSS attacks, XS-Leaks rely on observable browser behavior:

Primitive	Leaks
Timing	Resource size / complexity
Frame count	Content differences
Errors	Access control decisions
Cache	Previous visits
Navigation	Auth state
Rendering	Text length

XS-Search

XS-Search attacks abuse Query-Based Search Systems to leak user information. By measuring the side effects of a search query (e.g., response time, frame count, or error events), an attacker can infer whether a search returned results or not. This boolean oracle can be used to brute-force sensitive data character by character.

Examples:

Opening 50 tabs and use the timing difference from an iframe CSP violation in the search results page to bruteforce the flag character by character.

Cross-site Oracles

Timing Attacks

In a timing attack, an attacker seeks to uncover sensitive information by observing how long a system takes to respond to particular requests. They deploy carefully designed scripts to the target application to execute API calls, send AJAX requests, or initiate cross-origin resource sharing (CORS) interactions. By measuring and comparing the response times of these operations, the attacker can deduce insights about the system’s internal behavior, data validation processes, or underlying security controls.

Frame Counting

If a page loads different numbers of iframes based on the user's state (e.g., search results), an attacker can count them to infer data.

// Get a reference to the window
var win = window.open('https://example.org');

// Wait for the page to load
setTimeout(() => {
  // Read the number of iframes loaded
  console.log("%d iframes detected", win.length);
}, 2000);

Cache Probing

In a cache probing attack, a malicious website attempts to determine whether a specific resource from a target site is already stored in the victim’s browser cache. The attacker causes the browser to request a resource (for example, an image, script, or endpoint) that may only be cached if the user is authenticated or has previously visited a particular page. By measuring how quickly the resource loads, or by observing differences in behavior between a cached and non-cached response, the attacker can infer sensitive information.

Known Oracles

Cache Leak (CORS) - Detect resources loaded by page. Cache is deleted with CORS error.
Cache Leak (POST) - Detect resources loaded by page. Cache is deleted with a POST request.
ContentDocument X-Frame Leak - Detect X-Frame-Options with ContentDocument.
COOP Leak - Detect Cross-Origin-Opener-Policy header with popup.
CORB Leak - Detect X-Content-Type-Options in combination with specific content type using CORB.
CORP Leak - Detect Cross-Origin-Resource-Policy header with fetch.
CORS Error Leak - Leak redirect target URL with CORS error.
CSP Directive Leak - Detect CSP directives with CSP iframe attribute.
CSP Redirect Detection - Detect cross-origin redirects with CSP violation event.
CSP Violation Leak - Leak cross-origin redirect target with CSP violation event.
CSS Property Leak - Leak CSS rules with getComputedStyle.
Disk cache grooming
Download Detection - Detect downloads (Content-Disposition header).
Duration Redirect Leak - Detect cross-origin redirects by checking the duration.
ETag header length - Detect response body size with ETag header length
Event Handler Leak (Object) - Detect errors with onload/onerror with object.
Event Handler Leak (Script) - Detect errors with onload/onerror with script.
Event Handler Leak (Stylesheet) - Detect errors with onload/onerror with stylesheet.
Fetch Redirect Leak - Detect HTTP redirects with Fetch API.
Frame Count Leak - Detect the number of iframes on a page.
History Length Leak - Detect javascript redirects with History API.
Id Attribute Leak - Leak id attribute of focusable HTML elements with onblur.
Max Redirect Leak - Detect server redirect by abusing max redirect limit.
Media Dimensions Leak - Leak dimensions of images or videos.
Media Duration Leak - Leak duration of audio or videos.
MediaError Leak - Detect status codes with MediaError message.
Payment API Leak - Detect if another tab is using the Payment API.
Performance API CORP Leak - Detect Cross-Origin-Resource-Policy header with Performance API.
Performance API Download Detection - Detect downloads (Content-Disposition header) with Performance API.
Performance API Empty Page Leak - Detect empty responses with Performance API.
Performance API Error Leak - Detect errors with Performance API.
Performance API X-Frame Leak - Detect X-Frame-Options with Performance API.
Performance API XSS Auditor Leak - Detect scripts/event handlers in a page with Performance API.
Redirect Start Leak - Detect cross-origin HTTP redirects by checking redirectStart time.
Request Merging Error Leak - Detect errors with request merging.
SRI Error Leak - Leak content length with SRI error.
Style Reload Error Leak - Detect errors with style reload bug.
URL Max Length Leak - Detect server redirect by abusing URL max length.
WebSocket Leak (FF) - Detect the number of websockets on a page by exausting the socket limit.
WebSocket Leak (GC) - Detect the number of websockets on a page by exausting the socket limit.

Labs

Root Me - XS Leaks