Cross-Site Search Attacks: Unauthorized Queries over Private Data

Bar Meyuhas, Nethanel Gelernter, Amir Herzberg
International Conference on Cryptology and Network Security,
2020
Conferences & Workshops
Cybersecurity

Abstract

Cross-site search attacks allow a rogue website to expose private, sensitive user-information from web applications. The attacker exploits timing and other side channels to extract the information, using cleverly-designed cross-site queries.

In this work, we present a systematic approach to the study of cross-site search attacks. We begin with a comprehensive taxonomy, clarifying the relationships between different types of cross-site search attacks, as well as relationships to other attacks. We then present, analyze, and compare cross-site search attacks; We present new attacks that have improved efficiency and can circumvent browser defenses, and compare to already-published attacks. We developed and present a reproducibility framework, which allows study and evaluation of different cross-site attacks and defenses.

We also discuss defenses against cross-site search attacks, for both browsers and servers. We argue that server-based defenses are essential, including restricting cross-site search requests.

Prizes

December 14, 2020
Best Paper Award
@inproceedings{meyuhas2020cross,
  title={Cross-Site Search Attacks: Unauthorized Queries over Private Data},
  author={Meyuhas, Bar and Gelernter, Nethanel and Herzberg, Amir},
  booktitle={International Conference on Cryptology and Network Security},
  pages={43--62},
  year={2020},
  organization={Springer}
}