BIPI
BIPI

XS-Leaks Cookbook: Cross-Origin Side Channels Hunters Actually Use

Cybersecurity

A practical tour of XS-Leaks, frame counting, error events, COOP and COEP gaps, timing oracles, and the defenses that actually hold. Drawn from xsleaks.dev research and live bounty experience.

By Arjun Raghavan, Security & Systems Lead, BIPI · December 5, 2023 · 10 min read

#xs-leaks#side-channel#browser-security#pentesting#coop

What XS-Leaks actually are

XS-Leaks abuse browser side effects of cross origin requests to infer one bit of state, is the user logged in, does this email exist, did this search return results. They are not RCE but they chain into account takeover and deanonymization.

Frame counting

window.length on a popup of victim.com/search?q=alice tells you how many iframes the response embedded. If alice maps to one result and bob maps to zero, you have a one bit oracle. Mitigation is X-Frame-Options or framing breaks via COOP same-origin.

Error events

Loading a cross origin script and watching for onload vs onerror leaks whether the response was JavaScript, an HTML error page, or 404. The same trick works with img, link, and audio elements.

  • script onerror fires on HTTP 500 but onload fires on 200 with valid JS
  • img onload fires only for valid image bytes
  • link rel=stylesheet onload depends on CSS parse success
  • video error event differentiates 200 vs 403

Timing oracles

Performance.now is coarsened to 100us in most browsers, but SharedArrayBuffer with COOP COEP gives you nanosecond clocks. Measure cache hit vs miss on cross origin fetches to infer whether the victim recently visited a page.

postMessage leaks

Apps that postMessage('*') leak tokens to any opener. Pop the target, send a probe, and listen for the reply. Real bounties: payment widgets, OAuth helper iframes, chat embed SDKs.

Connection pool exhaustion

Fire 255 stalled requests to a target, then measure the timing of one more. If it queues, the victim is logged in and slow paths are being hit. This is the Knockel pool attack.

Tooling

Browser dev tools plus a controlled attacker origin. xsleaks.dev provides PoC pages. For dynamic discovery, Burp can be scripted to diff response sizes, status codes, and timing across logged in and logged out sessions.

Detection

  • Spikes in requests to /search or /api/users from a single referer with high cardinality query parameters
  • Repeated cross origin embeds in Sec-Fetch-Site: cross-site headers
  • Anomalous frame loads from non partner domains

Remediation

  1. Set Cross-Origin-Opener-Policy: same-origin on sensitive pages
  2. Add Cross-Origin-Resource-Policy: same-site on data endpoints
  3. Use SameSite=Lax or Strict cookies, the easiest single fix
  4. Return constant size and timing responses for existence checks, pad with random delay
30+
Known XS-Leak variants documented
<5%
Sites with full COOP COEP isolation
One bit at a time is still account takeover when the bit is is this user an admin.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.