rspec/rules/S5750/description.adoc

Web browsers, CDNs or similar proxy-servers can cache HTTP responses (especially large content such as images, scripts etc) to improve web browsing performance and to not overload the application serving the resources. However this may lead to privacy issues if a private web page containing personal user information is cached and served to another user. A different type of attacks allowed when caching resources at the web-browser level is cross-site leak attacks/side-channel attacks, here the attacker infers information about an user (for instance,  web page he is visiting) by observing timing responses or other relevant data when requesting private resources that may be cached.


Example of a side channel attack:

* The attacker wants to known if a user is involved in a confidential agreement between two companies A and B.
* If it is the case, the user can access to the resource _contract-between-A-and-B.png_ after being authenticated on a website.
* The attacker tricks the user to visit a malicious website containing the below code in order to determine the desired information:

----
<img id="leakyimage" src=""> 
<script language="javascript">
  leakyimage.src = "https://targetexample.com/private/contract-between-A-and-B.png";

  leakyimage.onload = function SideChannelObservations() {
    // compare timing between a cached image and not cached image
    // or success of load
    // in order to determine if the image is cached and so if the user has right to access to this image
  }
</script>
----
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			Web browsers, CDNs or similar proxy-servers can cache HTTP responses (especially large content such as images, scripts etc) to improve web browsing performance and to not overload the application serving the resources. However this may lead to privacy issues if a private web page containing personal user information is cached and served to another user. A different type of attacks allowed when caching resources at the web-browser level is cross-site leak attacks/side-channel attacks, here the attacker infers information about an user (for instance, web page he is visiting) by observing timing responses or other relevant data when requesting private resources that may be cached.

Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`Example of a side channel attack:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`* The attacker wants to known if a user is involved in a confidential agreement between two companies A and B.`
			`* If it is the case, the user can access to the resource _contract-between-A-and-B.png_ after being authenticated on a website.`
			`* The attacker tricks the user to visit a malicious website containing the below code in order to determine the desired information:`

			`----`
			`<img id="leakyimage" src="">`
			`<script language="javascript">`
			`leakyimage.src = "https://targetexample.com/private/contract-between-A-and-B.png";`

			`leakyimage.onload = function SideChannelObservations() {`
			`// compare timing between a cached image and not cached image`
			`// or success of load`
			`// in order to determine if the image is cached and so if the user has right to access to this image`
			`}`
			`</script>`
			`----`