autoleak
Find XS-Leaks in the browser by diffing DOM-Graphs in two states
Science Score: 57.0%
This score indicates how likely this project is to be science-related based on various indicators:
-
✓CITATION.cff file
Found CITATION.cff file -
✓codemeta.json file
Found codemeta.json file -
✓.zenodo.json file
Found .zenodo.json file -
✓DOI references
Found 2 DOI reference(s) in README -
○Academic publication links
-
○Academic email domains
-
○Institutional organization owner
-
○JOSS paper metadata
-
○Scientific vocabulary similarity
Low similarity (9.5%) to scientific vocabulary
Keywords
Repository
Find XS-Leaks in the browser by diffing DOM-Graphs in two states
Basic Info
- Host: GitHub
- Owner: RUB-NDS
- License: gpl-3.0
- Language: JavaScript
- Default Branch: main
- Homepage: https://AutoLeak.org
- Size: 3.27 MB
Statistics
- Stars: 16
- Watchers: 2
- Forks: 1
- Open Issues: 0
- Releases: 0
Topics
Metadata Files
README.md
Autoleak
Find XS-Leaks in the browser by diffing DOM-Graphs in two states
Paper
The contents of this repository has been published as a part of a CCS'23 paper. If you use Autoleak for academic research, we encourage you to cite the following paper:
@inproceedings{autoleakCCS2023,
title={Finding All Cross-Site Needles in the DOM Stack: A Comprehensive Methodology for the Automatic XS-Leak Detection in Web Browsers},
author={No{\ss}, Dominik Trevor and Knittel, Lukas and Mainka, Christian and Niemietz, Marcus and Schwenk, J{\"o}rg},
booktitle={Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security},
pages={2456--2470},
year={2023}
}
Docker Compose Setup
- Change environment variables in
.envfile (see.env-examplefor details) - Run the complete setup like this:
docker compose up -d # add --build to rebuild the images - or with letsencrypt:
docker compose \ -f docker-compose.yml \ -f docker-compose.letsencrypt.yml \ up --build -d - Open
https://127.0.0.1or basedomain if your are using your domain
Environment Variables
FRONTEND_USERNAM=admin # username for basic auth
FRONTEND_PASSWORD=password # password for basic auth
DEMO_MODE=0 # enable/disable readonly mode
BASEDOMAIN=example.com # basedomain for the frontend
CROSSORIGINDOMAIN=test.com # domain for the cross origin iframe
TEST_CONFIG=testconfigs/config.json # path to the test config (see /testconfigs)
Add new Tests
Adding new test paramaters is easy. You can change inclusion methods, differences, browsers, just by editing the config.json
Test Config
Example config that shows some options:
json
{
"browsers": [
"chrome",
"firefox",
"webkit",
"brave"
],
"differences": [
{
"name": "XFrameOptionsDENY",
"response0": {
"status": 200,
"headers": [
{
"name": "X-Frame-Options",
"value": "DENY"
}
]
},
"response1": {
"status": 200,
"headers": []
}
},
{
"name": "StatusCode500vs200",
"response0": {
"status": 500,
"headers": []
},
"response1": {
"status": 200,
"headers": []
}
},
{
"name": "ForceFileTypeCSS",
"response0": {
"status": 200,
"headers": [],
"filetype": {
"name": "css",
"contenttype": "text/css",
"filetemplate": "test.css"
}
},
"response1": {
"status": 200,
"headers": []
}
},
{
"name": "HTMLwithIframe",
"response0": {
"status": 200,
"headers": [],
"filetype": {
"name": "iframeHTML",
"contenttype": "text/html",
"filetemplate": "iframe.html"
}
},
"response1": {
"status": 200,
"headers": []
}
}
],
"inclusionmethods": [
{
"name": "iframe",
"template": "iframe.html"
},
{
"name": "iframeSandbox",
"template": "iframesandbox.html"
},
{
"name": "object",
"template": "object.html"
},
{
"name": "image",
"template": "image.html"
},
{
"name": "stylesheet",
"template": "stylesheet.html"
}
],
"filetypes": [
{
"name": "html",
"contenttype": "text/html",
"filetemplate": "test.html"
},
{
"name": "css",
"contenttype": "text/css",
"filetemplate": "test.css"
},
{
"name": "text",
"contenttype": "text/plain",
"filetemplate": "test.txt"
}
]
}
Owner
- Name: Ruhr University Bochum - Chair for Network and Data Security
- Login: RUB-NDS
- Kind: organization
- Location: Ruhr University Bochum
- Website: https://informatik.rub.de/nds/
- Repositories: 84
- Profile: https://github.com/RUB-NDS
Research and development at the Chair for Network and Data Security concentrates on cryptographic protocols, Internet and XML security.
Citation (CITATION.cff)
cff-version: 1.2.0
message: "If you use this software, please cite it as below."
title: "Finding All Cross-Site Needles in the DOM Stack: A Comprehensive Methodology for the Automatic XS-Leak Detection in Web Browsers"
version: 2.0.4
authors:
- family-names: "Knittel"
given-names: "Lukas"
orcid: "https://orcid.org/0009-0006-5676-5151"
- family-names: "Noß"
given-names: "Dominik"
orcid: "https://orcid.org/0000-0002-2138-9989"
identifiers:
- type: doi
value: https://github.com/RUB-NDS/AutoLeak
date-released: 2023-11-21
GitHub Events
Total
- Watch event: 2
- Push event: 4
Last Year
- Watch event: 2
- Push event: 4
Issues and Pull Requests
Last synced: 8 months ago
All Time
- Total issues: 0
- Total pull requests: 0
- Average time to close issues: N/A
- Average time to close pull requests: N/A
- Total issue authors: 0
- Total pull request authors: 0
- Average comments per issue: 0
- Average comments per pull request: 0
- Merged pull requests: 0
- Bot issues: 0
- Bot pull requests: 0
Past Year
- Issues: 0
- Pull requests: 0
- Average time to close issues: N/A
- Average time to close pull requests: N/A
- Issue authors: 0
- Pull request authors: 0
- Average comments per issue: 0
- Average comments per pull request: 0
- Merged pull requests: 0
- Bot issues: 0
- Bot pull requests: 0
Top Authors
Issue Authors
Pull Request Authors
Top Labels
Issue Labels
Pull Request Labels
Dependencies
- mcr.microsoft.com/playwright/python v1.29.0-focal build
- mher/flower latest
- mongo 5
- redis latest
- nginx mainline-alpine build
- celery *
- flask *
- flask-sqlalchemy *
- gunicorn *
- mongoengine *
- networkx *
- playwright *
- pyyaml *
- redis *
- requests *