Cross-site search attacks: Unauthorized queries over private data

Bar Meyuhas; Nethanel Gelernter; Amir Herzberg

doi:10.1007/978-3-030-65411-5_3

Cross-site search attacks: Unauthorized queries over private data

Bar Meyuhas, Nethanel Gelernter, Amir Herzberg

Department of Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

1 Scopus citations

Abstract

Cross-site search attacks allow a rogue website to expose private, sensitive user-information from web applications. The attacker exploits timing and other side channels to extract the information, using cleverly-designed cross-site queries. In this work, we present a systematic approach to the study of cross-site search attacks. We begin with a comprehensive taxonomy, clarifying the relationships between different types of cross-site search attacks, as well as relationships to other attacks. We then present, analyze, and compare cross-site search attacks; We present new attacks that have improved efficiency and can circumvent browser defenses, and compare to already-published attacks. We developed and present a reproducibility framework, which allows study and evaluation of different cross-site attacks and defenses. We also discuss defenses against cross-site search attacks, for both browsers and servers. We argue that server-based defenses are essential, including restricting cross-site search requests.

Original language	English
Title of host publication	Cryptology and Network Security - 19th International Conference, CANS 2020, Vienna, Austria, December 14–16, 2020, Proceedings
Editors	Stephan Krenn, Haya Shulman, Serge Vaudenay
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	43-62
Number of pages	20
ISBN (Print)	9783030654108
DOIs	https://doi.org/10.1007/978-3-030-65411-5_3
State	Published - 2020
Event	19th International Conference on Cryptology and Network Security, CANS 2020 - Vienna, Austria Duration: 14 Dec 2020 → 16 Dec 2020

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	12579 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	19th International Conference on Cryptology and Network Security, CANS 2020
Country/Territory	Austria
City	Vienna
Period	14/12/20 → 16/12/20

Bibliographical note

Publisher Copyright:
© Springer Nature Switzerland AG 2020.

Access to Document

10.1007/978-3-030-65411-5_3

Cite this

Meyuhas, B., Gelernter, N., & Herzberg, A. (2020). Cross-site search attacks: Unauthorized queries over private data. In S. Krenn, H. Shulman, & S. Vaudenay (Eds.), Cryptology and Network Security - 19th International Conference, CANS 2020, Vienna, Austria, December 14–16, 2020, Proceedings (pp. 43-62). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12579 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-030-65411-5_3

Meyuhas, Bar ; Gelernter, Nethanel ; Herzberg, Amir. / Cross-site search attacks : Unauthorized queries over private data. Cryptology and Network Security - 19th International Conference, CANS 2020, Vienna, Austria, December 14–16, 2020, Proceedings. editor / Stephan Krenn ; Haya Shulman ; Serge Vaudenay. Springer Science and Business Media Deutschland GmbH, 2020. pp. 43-62 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{0efab30f236b4d6ba155acbb2a690842,

title = "Cross-site search attacks: Unauthorized queries over private data",

abstract = "Cross-site search attacks allow a rogue website to expose private, sensitive user-information from web applications. The attacker exploits timing and other side channels to extract the information, using cleverly-designed cross-site queries. In this work, we present a systematic approach to the study of cross-site search attacks. We begin with a comprehensive taxonomy, clarifying the relationships between different types of cross-site search attacks, as well as relationships to other attacks. We then present, analyze, and compare cross-site search attacks; We present new attacks that have improved efficiency and can circumvent browser defenses, and compare to already-published attacks. We developed and present a reproducibility framework, which allows study and evaluation of different cross-site attacks and defenses. We also discuss defenses against cross-site search attacks, for both browsers and servers. We argue that server-based defenses are essential, including restricting cross-site search requests.",

author = "Bar Meyuhas and Nethanel Gelernter and Amir Herzberg",

note = "Publisher Copyright: {\textcopyright} Springer Nature Switzerland AG 2020.; 19th International Conference on Cryptology and Network Security, CANS 2020 ; Conference date: 14-12-2020 Through 16-12-2020",

year = "2020",

doi = "10.1007/978-3-030-65411-5_3",

language = "אנגלית",

isbn = "9783030654108",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "43--62",

editor = "Stephan Krenn and Haya Shulman and Serge Vaudenay",

booktitle = "Cryptology and Network Security - 19th International Conference, CANS 2020, Vienna, Austria, December 14–16, 2020, Proceedings",

address = "גרמניה",

}

Meyuhas, B, Gelernter, N & Herzberg, A 2020, Cross-site search attacks: Unauthorized queries over private data. in S Krenn, H Shulman & S Vaudenay (eds), Cryptology and Network Security - 19th International Conference, CANS 2020, Vienna, Austria, December 14–16, 2020, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12579 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 43-62, 19th International Conference on Cryptology and Network Security, CANS 2020, Vienna, Austria, 14/12/20. https://doi.org/10.1007/978-3-030-65411-5_3

Cross-site search attacks: Unauthorized queries over private data. / Meyuhas, Bar; Gelernter, Nethanel; Herzberg, Amir.
Cryptology and Network Security - 19th International Conference, CANS 2020, Vienna, Austria, December 14–16, 2020, Proceedings. ed. / Stephan Krenn; Haya Shulman; Serge Vaudenay. Springer Science and Business Media Deutschland GmbH, 2020. p. 43-62 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12579 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Cross-site search attacks

T2 - 19th International Conference on Cryptology and Network Security, CANS 2020

AU - Meyuhas, Bar

AU - Gelernter, Nethanel

AU - Herzberg, Amir

PY - 2020

Y1 - 2020

N2 - Cross-site search attacks allow a rogue website to expose private, sensitive user-information from web applications. The attacker exploits timing and other side channels to extract the information, using cleverly-designed cross-site queries. In this work, we present a systematic approach to the study of cross-site search attacks. We begin with a comprehensive taxonomy, clarifying the relationships between different types of cross-site search attacks, as well as relationships to other attacks. We then present, analyze, and compare cross-site search attacks; We present new attacks that have improved efficiency and can circumvent browser defenses, and compare to already-published attacks. We developed and present a reproducibility framework, which allows study and evaluation of different cross-site attacks and defenses. We also discuss defenses against cross-site search attacks, for both browsers and servers. We argue that server-based defenses are essential, including restricting cross-site search requests.

AB - Cross-site search attacks allow a rogue website to expose private, sensitive user-information from web applications. The attacker exploits timing and other side channels to extract the information, using cleverly-designed cross-site queries. In this work, we present a systematic approach to the study of cross-site search attacks. We begin with a comprehensive taxonomy, clarifying the relationships between different types of cross-site search attacks, as well as relationships to other attacks. We then present, analyze, and compare cross-site search attacks; We present new attacks that have improved efficiency and can circumvent browser defenses, and compare to already-published attacks. We developed and present a reproducibility framework, which allows study and evaluation of different cross-site attacks and defenses. We also discuss defenses against cross-site search attacks, for both browsers and servers. We argue that server-based defenses are essential, including restricting cross-site search requests.

UR - http://www.scopus.com/inward/record.url?scp=85098239922&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-65411-5_3

DO - 10.1007/978-3-030-65411-5_3

M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???

AN - SCOPUS:85098239922

SN - 9783030654108

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 43

EP - 62

BT - Cryptology and Network Security - 19th International Conference, CANS 2020, Vienna, Austria, December 14–16, 2020, Proceedings

A2 - Krenn, Stephan

A2 - Shulman, Haya

A2 - Vaudenay, Serge

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 14 December 2020 through 16 December 2020

ER -

Meyuhas B, Gelernter N, Herzberg A. Cross-site search attacks: Unauthorized queries over private data. In Krenn S, Shulman H, Vaudenay S, editors, Cryptology and Network Security - 19th International Conference, CANS 2020, Vienna, Austria, December 14–16, 2020, Proceedings. Springer Science and Business Media Deutschland GmbH. 2020. p. 43-62. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-65411-5_3

Cross-site search attacks: Unauthorized queries over private data

Abstract

Publication series

Conference

Bibliographical note

Access to Document

Other files and links

Fingerprint

Cite this