XS-Leaks

๐Ÿ” Introduction

XS-Leaks๋Š” Cross-site Leaks๋กœ CSP, SOP์™€ ๊ฐ™์€ ๋ณด์•ˆ ์ •์ฑ…์„ ์œ„๋ฐ˜ํ•˜์ง€ ์•Š์œผ๋ฉด์„œ ๋‹ค๋ฅธ ์‚ฌ์ดํŠธ์™€์˜ ์ƒํ˜ธ์ž‘์šฉ์„ ํ†ตํ•ด ์ •๋ณด๋ฅผ ์ถ”๋ก ํ•˜๊ณ  ๊ฒฐ๊ณผ์ ์œผ๋กœ ๋ฐ์ดํ„ฐ๋ฅผ ์œ ์ถœํ•  ์ˆ˜ ์žˆ๋Š” ๊ณต๊ฒฉ๋ฐฉ๋ฒ•์„ ๋งํ•ฉ๋‹ˆ๋‹ค. ์ „์ฒด์ ์ธ ๋Š๋‚Œ์€ CSRF์™€ ์œ ์‚ฌํ•œ ๋ถ€๋ถ„์ด ๋งŽ์ด ์žˆ์ง€๋งŒ, CSRF๊ฐ€ ์‚ฌ์šฉ์ž ๋Œ€์‹  Action์„ ์ฒ˜๋ฆฌํ•œ๋‹ค๋ฉด, XS-Leaks๋Š” ์‚ฌ์šฉ์ž์— ๋Œ€ํ•œ ์ •๋ณด๋ฅผ ์œ ์ถ”ํ•˜๊ณ  ์ถ”๋ก ํ•˜๋Š”๋ฐ ํฌ์ปค์‹ฑ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค.

๊ทธ๋ฆฌ๊ณ  ๋Œ€๋ถ€๋ถ„์˜ XS-Leaks๋Š” ์›น ์„ค๊ณ„ ์ž์ฒด์˜ ๋ฌธ์ œ์ธ ๊ฒฝ์šฐ๊ฐ€ ๋งŽ์Šต๋‹ˆ๋‹ค. ์›น, ์›น ๋ธŒ๋ผ์šฐ์ €์—์„œ ์ŠคํŽ™์œผ๋กœ ์ •ํ•œ Cross-site๊ฐ„์˜ ์ •์ฑ…์€ ์™„๋ฒฝํ•˜์ง€ ์•Š์œผ๋ฉฐ ํ—›์ ์„ ์ž˜ ํŒŒ๊ณ ๋“œ๋Š” ๊ฒฝ์šฐ XS-Leaks์ด ๊ฐ€๋Šฅํ•œ ์ผ€์ด์Šค๊ฐ€ ๋ฐœ์ƒํ•ฉ๋‹ˆ๋‹ค. ๊ทธ๋ž˜์„œ Firerox, Chrome, Safari ๋“ฑ ๊ฐ ๋ธŒ๋ผ์šฐ์ €์‚ฌ๋Š” ์ด์— ๋Œ€ํ•œ ๋ฐฉ์–ด ๋ฉ”์ปค๋‹ˆ์ฆ˜์„ ์ถ”๊ฐ€๋กœ ๊ตฌํ˜„ํ•˜๊ธฐ๋„ ํ•ฉ๋‹ˆ๋‹ค.

๊ทธ๋ฆฌ๊ณ  ๋Œ€ํ‘œ์ ์ธ ๋ฐฉ์–ด ๋ฉ”์ปค๋‹ˆ์ฆ˜์€ COOP์ž…๋‹ˆ๋‹ค.

1
Cross-Origin-Opener-Policy: same-origin

XS Oracle

XS-Leaks์—์„œ ์‚ฌ์šฉ๋˜๋Š” ์ •๋ณด์˜ ์กฐ๊ฐ, ํŒŒํŽธ๋“ค์€ ๊ต‰์žฅํžˆ ์ž‘์€ ๋‹จ์œ„๋ฉฐ ์ด๋ฅผ Oracle์ด๋ผ๊ณ  ๋ถ€๋ฆ…๋‹ˆ๋‹ค. ๊ทธ๋ž˜๊ณ  ๊ณต๊ฒฉ์ž๋Š” ๋ฐ˜๋ณต์ ์ธ ์š”์ฒญ ๋“ฑ์„ ํ†ตํ•ด XS Oracle์„ ๋Œ€๋Ÿ‰์œผ๋กœ ์ˆ˜์ง‘ํ•˜๋ฉด์„œ ์›ํ•˜๋Š” ๋ฐ์ดํ„ฐ๋ฅผ ์ถ”๋ก ํ•ฉ๋‹ˆ๋‹ค.

Basic example

์•„๋ž˜๋Š” ๋‹จ์ˆœํžˆ list array๋ฅผ ๋Œ๋ฉด์„œ ํ•ด๋‹น ํŽ˜์ด์ง€๊ฐ€ ์žˆ๋Š”์ง€ ์ฒดํฌํ•˜๋Š” ๋กœ์ง์ž…๋‹ˆ๋‹ค.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
<script>
	function httpGet(theUrl) {
   		 var xmlHttp = new XMLHttpRequest();
    		xmlHttp.open( "GET", theUrl, false );
    		xmlHttp.send( null );
    		return xmlHttp.status;
	}

	const list = [
		"aaa",
		"bbb",
		"ccc",
		"about"
	];

	list.forEach(function(k){
			console.log("https://www.hahwul.com/"+k+"/ => "+httpGet("https://www.hahwul.com/"+k+"/"))
	});
</script>

์ด๋ ‡๊ฒŒ Status ์ฝ”๋“œ๋ฅผ ํ†ตํ•ด ์กด์žฌํ•˜๋Š” ํŽ˜์ด์ง€๋ฅผ ์ฒดํฌํ•  ์ˆ˜ ์žˆ์ฃ . ๋งŒ์•ฝ path๊ฐ€ secretํ•œ ๊ฒฝ๋กœ๋ผ๋ฉด ์–ด๋–ป๊ฒŒ ๋ ๊นŒ์š”? ๊ณต๊ฒฉ์ž๊ฐ€ ๋ฏธ๋ฆฌ ์ค€๋น„ํ•ด๋‘” wordlist๋‚˜ path์˜ ํŒจํ„ด์„ ์ด์šฉํ•ด์„œ ๋ฐ˜๋ณต์ ์œผ๋กœ ์š”์ฒญํ•˜๋ฉด์„œ ํ•ด๋‹น ์‚ฌ์šฉ์ž์˜ secret ๊ฒฝ๋กœ๋ฅผ ์ถ”์ธกํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ๊ฑธ XS-Leaks, ๊ทธ๋ฆฌ๊ณ  ์—ฌ๊ธฐ์— ์‚ฌ์šฉ๋˜๋Š” path์— ๋Œ€ํ•œ Status๊ฐ€ XS Oracles๋ผ๊ณ  ํ•ฉ๋‹ˆ๋‹ค.

๐Ÿ—ก Offensive techniques

XS-Search๋Š” ๊ฒ€์ƒ‰ ํŽ˜์ด์ง€ ๋“ฑ์—์„œ ์ค‘์š”ํ•œ ์ •๋ณด๋ฅผ ํƒˆ์ทจํ•  ์ˆ˜ ์žˆ๋Š” ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค. ๋ณดํ†ต Response์˜ status, time ๋“ฑ์„ ์ธก์ •ํ•˜๋ฉฐ ํ•œ๊ธ€์ž์”ฉ ์ค‘์š”ํ•œ ์ •๋ณด๋ฅผ ๋งž์ถฐ๊ฐ‘๋‹ˆ๋‹ค.

1
2
GET /search?q=1 (200 / 100ms)
GET /search?q=2 (404 / 20000ms)

์œ„์™€ ๊ฐ™์ด ๊ฒ€์ƒ‰ ๊ฒฐ๊ณผ๊ฐ€ ์žˆ๋Š” ๊ฒฝ์šฐ์™€ ์—†๋Š” ๊ฒฝ์šฐ์˜ ์‹œ๊ฐ„์ฐจ ๋˜๋Š” Status๊ฐ€ ๋‹ค๋ฅธ ๊ฒฝ์šฐ ๋ฐ˜๋ณต์ ์ธ ์š”์ฒญ์œผ๋กœ ์œ ํšจํ•œ ๊ฐ’์„ ์ฐพ์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

1
2
3
4
5
6
GET /search?q=a (404 / 20014ms)
GET /search?q=b (404 / 20011ms)
GET /search?q=c (404 / 20001ms)
GET /search?q=d (200 / 105ms)
...
GET /search?q=data (200 / 100ms)

์ดํ•ด๊ฐ€ ์‰ฌ์šด ๋Œ€ํ‘œ์ ์ธ ์˜ˆ์‹œ๋Š” ๊ธ‰์—ฌ ๊ฒ€์ƒ‰ ์‹œ์Šคํ…œ์ž…๋‹ˆ๋‹ค. ๋งŒ์•ฝ ๊ธ‰์—ฌ๋ฅผ ์ฒ˜๋ฆฌํ•˜๋Š” ์–ด๋“œ๋ฏผ์— ์‚ฌ์šฉ์ž๋ณ„๋กœ ๊ฒ€์ƒ‰ํ•  ์ˆ˜ ์žˆ๋Š” ๊ธฐ๋Šฅ์ด ์žˆ๋‹ค๋ฉด, ์•„๋ž˜์™€ ๊ฐ™์ด ๊ฒ€์ƒ‰ ์กฐ๊ฑด๊ณผ ๊ฒฐ๊ณผ๋ฅผ ํ†ตํ•ด์„œ ํŠน์ • ์‚ฌ์šฉ์ž์˜ ๊ธ‰์—ฌ ๊ตฌ๊ฐ„์„ ์œ ์ถ”ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

1
2
3
GET /salary?user=hahwul&min=0&max=100 (404 / 20001ms)
GET /salary?user=hahwul&min=100&max=200 (404 / 20601ms)
GET /salary?user=hahwul&min=200&max=300 (200 / 104ms)

์ด๋Ÿฌํ•œ ๋ฐฉ์‹์„ XS-Search๋ผ๊ณ  ๋ถ€๋ฅด๋ฉฐ, XS-Leaks์—์„œ ๊ฐ€์žฅ ๊ทผ์›์ด ๋˜๋Š” ๊ธฐ์ˆ ์ž…๋‹ˆ๋‹ค.

More patterns

XS-Leaks์˜ ํŒจํ„ด์€ ์›Œ๋‚™ ๋งŽ๊ธฐ๋„ ํ•˜๊ณ  XS-Leaks Wiki์— ์ž˜ ์ •๋ฆฌ๋˜์–ด ์žˆ์–ด์„œ ํ•ด๋‹น ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ•˜์‹œ๋Š”๊ฒŒ ์ข‹์„ ๊ฒƒ ๊ฐ™์Šต๋‹ˆ๋‹ค.

XSinator

XSinator๋Š” XS-Leaks๋ฅผ ํ…Œ์ŠคํŠธํ•˜๊ธฐ ์œ„ํ•œ ๋„๊ตฌ๋กœ ํ•ด๋‹น ๋„๊ตฌ๋ฅผ ํ†ตํ•ด ๊ฐ ๋ธŒ๋ผ์šฐ์ € ๋ฒ„์ „ ๋ณ„ XS-Leaks๊ฐ€ ๊ฐ€๋Šฅํ•œ ์ผ€์ด์Šค๋ฅผ ์•Œ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๐Ÿ›ก Defensive techniques

XS-Leaks๋Š” ์ข…๋ฅ˜์™€ ์กฐ๊ฑด์— ๋”ฐ๋ผ์„œ ๋Œ€์‘๋ฐฉ๋ฒ•์ด ์ƒ์ดํ•ฉ๋‹ˆ๋‹ค. ๊ทธ๋ž˜๋„ ๊ณตํ†ต์ ์œผ๋กœ SameSite Cookie, COOP, Iframe Policy ๋“ฑ์œผ๋กœ ๋Œ€์‘์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

๐Ÿ•น Tools

๐Ÿ“Œ References

Licensed under CC BY-NC-SA 4.0