XSinator.com – CCS 2021 Best Paper Award Banner

Three co-founders from Hackmanit (Prof. Dr Jörg Schwenk, Prof. Dr. Marcus Niemietz, Dr. Christian Mainka), together with researchers from the Ruhr University Bochum, received the Best Paper Award at the "ACM Conference on Computer and Communications Security" (CCS) 2021. CCS is one of the most important international IT security conferences and their committee selected the publication "XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers" for the best paper award.

Used as a foundation within the publication, the same-origin policy (SOP) is probably known as the web browser’s main defense against a variety of attacks. Basically, the SOP prevents the leakage of information from a trusted site (e.g., bank.com) to an adversary's malicious website (e.g., attacker.com). The type of leaked information can range from a simple “user is logged in on the trusted site” up to a revelation of the victim's identity, including information such as the victim’s name, gender, and birthday.


Recently, a new class of attacks came into the security community's attention: Cross-Site Leaks (XS-Leaks).
Each XS-Leak consists of three different characteristics:

1. A detectable difference is a distinction on a specific URL that is caused by a user state. We call such a URL a state-dependent resource. For example, if a user is logged in on bank.com, the user can check its account. Otherwise, a login screen is shown. Various differences exist; they can be subtle, such as different HTML content, or happening in the background, such as an HTTP redirect.

2. The inclusion method is used by the attacker to embed the state-dependent resource. The attacker can use various methods for this purpose, such as such as , <iframe>, <img>, or JavaScript (e.g., fetch API).

3. The leak technique allows the attacker to gather the actual state of the victim. For example, the state-dependent resource changes if the user is logged in or out, but the attacker may not be able to detect this difference due to the SOP. However, various pieces of information can leak cross-origin, for example, the popup.frames.length property from the Document Object Model.


Test your Browser (mobile or desktop)  >>>  XSinator.com

download paper