Data

Tools

Indexes

Applications

Experiments

Open Source Science

xs-search

cross-site (XS) search attack - scripts

https://github.com/barmey/xs-search

Science Score: 54.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
    Found CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
    Links to: researchgate.net
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (10.3%) to scientific vocabulary
Last synced: 6 months ago · JSON representation ·

Repository

cross-site (XS) search attack - scripts

Basic Info
  • Host: GitHub
  • Owner: barmey
  • Language: HTML
  • Default Branch: master
  • Homepage:
  • Size: 71.3 KB
Statistics
  • Stars: 1
  • Watchers: 1
  • Forks: 0
  • Open Issues: 0
  • Releases: 0
Created about 6 years ago · Last pushed over 4 years ago
Metadata Files
Readme Citation

README.md

XS-Search Attacks

Cross-site search attacks allow a rogue website to expose private, sensitive user-information from web applications. The attacker exploits timing and other side channels to extract the information, using cleverly-designed cross-site queries.

Full-text available

Reproducibility System

In this repo you can find several xs-search attack scripts that we run on our reproducibility system. You can download our reproducibility vm on link .

Reproducibility System details:

Web services tend to get updates often and change their API. To ensure the reproducibility of our experiments despite these challenges, we set up an infrastructure that is not dependent on external web-services. This infrastructure was built on a virtual machine that consists of all the technologies necessary to perform XS-Search attacks: 1. Local mail service that allows cross-site search requests and supports simple and complex queries. To simulate real mailboxes of users we used the Enron dataset, which contains data from about 150 users, mostly senior management of the Enron corporation. 2. Service that simulates real network conditions including drop and delay. 3. Web service that presents the results of the search requests in a user-friendly interface. 4. Service that simulates cross-site attacks and allows performing XS-Search attacks. We implemented three XS-Search attacks: Network Time (NT), Cache Time (CT), and Length Based (LB).

Scripts details:

  1. LB-XS-Search - Chrome Exploit - CVE-2020-6442
  2. flash_vulnerability - Flash Exploit - CVE-2019-8075

Owner

  • Name: Bar Meyuhas
  • Login: barmey
  • Kind: user

Citation (CITATION.cff) 

cff-version: 1.2.0
message: "If you use this software, please cite it as below."
authors:
  - family-names: Meyuhas
    given-names: Bar
    orcid: https://orcid.org/0000-0002-5354-4955
title: "Cross-Site Search Attacks: Unauthorized Queries over Private Data"
version: 2.0.4
doi: 10.1007/978-3-030-65411-5_3
date-released: 2020-12-09

GitHub Events

Total
Last Year