22 lines
1.5 KiB
Plaintext
22 lines
1.5 KiB
Plaintext
Web browsers, CDNs or similar proxy-servers can cache HTTP responses (especially large content such as images, scripts etc) to improve web browsing performance and to not overload the application serving the resources. However this may lead to privacy issues if a private web page containing personal user information is cached and served to another user. A different type of attacks allowed when caching resources at the web-browser level is cross-site leak attacks/side-channel attacks, here the attacker infers information about an user (for instance, web page he is visiting) by observing timing responses or other relevant data when requesting private resources that may be cached.
|
|
|
|
|
|
Example of a side channel attack:
|
|
|
|
* The attacker wants to known if a user is involved in a confidential agreement between two companies A and B.
|
|
* If it is the case, the user can access to the resource _contract-between-A-and-B.png_ after being authenticated on a website.
|
|
* The attacker tricks the user to visit a malicious website containing the below code in order to determine the desired information:
|
|
|
|
----
|
|
<img id="leakyimage" src="">
|
|
<script language="javascript">
|
|
leakyimage.src = "https://targetexample.com/private/contract-between-A-and-B.png";
|
|
|
|
leakyimage.onload = function SideChannelObservations() {
|
|
// compare timing between a cached image and not cached image
|
|
// or success of load
|
|
// in order to determine if the image is cached and so if the user has right to access to this image
|
|
}
|
|
</script>
|
|
----
|