XSinator.com – CCS 2021 Best Paper Award Banner

Three co-founders from Hackmanit (Prof. Dr Jörg Schwenk, Prof. Dr. Marcus Niemietz, Dr. Christian Mainka), together with researchers from the Ruhr University Bochum, received the Best Paper Award at the "ACM Conference on Computer and Communications Security" (CCS) 2021. CCS is one of the most important international IT security conferences and their committee selected the publication "XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers" for the best paper award.

Used as a foundation within the publication, the same-origin policy (SOP) is probably known as the web browser’s main defense against a variety of attacks. Basically, the SOP prevents the leakage of information from a trusted site (e.g., bank.com) to an adversary's malicious website (e.g., attacker.com). The type of leaked information can range from a simple “user is logged in on the trusted site” up to a revelation of the victim's identity, including information such as the victim’s name, gender, and birthday.


Recently, a new class of attacks came into the security community's attention: Cross-Site Leaks (XS-Leaks).
Each XS-Leak consists of three different characteristics:

1. A detectable difference is a distinction on a specific URL that is caused by a user state. We call such a URL a state-dependent resource. For example, if a user is logged in on bank.com, the user can check its account. Otherwise, a login screen is shown. Various differences exist; they can be subtle, such as different HTML content, or happening in the background, such as an HTTP redirect.

2. The inclusion method is used by the attacker to embed the state-dependent resource. The attacker can use various methods for this purpose, such as such as , <iframe>, <img>, or JavaScript (e.g., fetch API).

3. The leak technique allows the attacker to gather the actual state of the victim. For example, the state-dependent resource changes if the user is logged in or out, but the attacker may not be able to detect this difference due to the SOP. However, various pieces of information can leak cross-origin, for example, the popup.frames.length property from the Document Object Model.


Test your Browser (mobile or desktop)  >>>  XSinator.com

download paper



Our Experts Develop the Optimal Solution for You

Template Injection – Cross-Site Scripting (XXS) – Web Security

Are you using template engines in your web application and want to make sure they are used in a secure way? Or do you want to ensure your application's users and data is protected against other threats?

We will be glad to advise you; contact us for a no-obligation initial consultation. Thus, we are at your side with the following services and solutions:

IT Security Consulting  |  Training   |  Penetration Tests

Don't hesitate and find your way to secure web applications with us. We look forward to supporting you with your projects.


contact marcus niemietz

Your Contact for Web Security

Prof. Dr. Marcus Niemietz