1 of 8

XSinator.comXS-Leak Browser Test Suite

Lukas Knittel (@kunte_ctf)

2 of 8

The Paper

2

CCS21

Formal Model �for XS-Leaks

XSinator a�Browser Test Suite

XS-Leak Ingredients:

detectable difference, inclusion methods, leak technique

3 of 8

XSinator.com

Automatically tests 34 XS-Leaks in the browser

  • Testing site acts as the attacker site
    • https://xsinator.com�
  • Vulnerable web application simulates the state-dependent resource
    • https://xsinator.xyz

3

4 of 8

Demo

4

https://XSinator.com

5 of 8

Limitations

  • Browser Compatibility
    • as many browsers as possible
    • mobile browsers

  • Could not implement all known leaks
    • some interfere with each other or are too unstable

  • Excluded Leaks
    • misconfiguration (e.g., CORS, postMessage, …)
    • webapp specific (e.g., WAF)
    • timing leaks

5

6 of 8

Results

  • BrowserStack + Selenium = automation
  • tested 54 browsers
  • different browser versions
  • results in the paper or on XSinator.com

6

7 of 8

Future of XSinator

  • update existing leaks, implement more leaks
  • incorporate XSinator.com as a resource/playground for xsleaks.com
  • its on Github1

7

1 https://github.com/RUB-NDS/xsinator.com

8 of 8

8

Thank you for listening!

Any Questions?

@kunte_ctf

XSinator.com