5

XSHM is a vulnerability which exploits the fact that the browser history object does not follow the Same Origin Policy and hence by tracking the changes made to this object we may be able to track a user's activities.

Most of the online references about this vulnerability are relatively old and I am unsure if the web browsers have developed any defenses against this vulnerability over time.

My question is if this vulnerability still relevant?

I have found some other references which discuss the exploitation scenarios and it seems that for successful exploitation it is important to load the target site in an iframe. in such a case would it be right to conclude that X-FRAME-OPTIONS header can be a useful tool to mitigate this vulnerability.

curiousguy
  • 5,028
  • 3
  • 25
  • 27
Shurmajee
  • 7,285
  • 5
  • 27
  • 59
  • This is [the newest](https://html.spec.whatwg.org/multipage/history.html#dom-history-length) I could find. It's hard to get information on single browsers though. You probably have to check the handling of `history.length` per browser. – Tom K. Feb 19 '18 at 07:29
  • 1
    Related: https://stackoverflow.com/questions/27782805/cross-site-history-manipulation-resolution – Tom K. Feb 19 '18 at 07:48
  • 1
    AFAIK, this issue is still relevant since [the Firefox bug is still opened](https://bugzilla.mozilla.org/show_bug.cgi?id=1315203) and [the spec issue is also still opened](https://github.com/whatwg/html/issues/2018) Webkit (Chrome/Opera) seems not impacted. – Xenos Jun 21 '18 at 08:22
  • @Shurmajee have you been able to confirm an iframe is required to perform a XSHM attack? All attack examples I found use an iframe, I'm inclined to consider it solved with a X-FRAME-OPTIONS header. – lsborg Oct 19 '20 at 21:59
  • @lsborg Based on the original checkmarx paper (See Firefox link above) , all attack vectors use iframes in some way or the other also note that of all the major browsers, only Firefox seems to be vulnerable. The paper does contain some application level fixes for cases where conditional redirects are present but with modern web apps, I feel a very small time window will be available to an attacker to carry out this attack which only results in enumeration. In short preventing iframing will help and there is no need to do any other app level fixes. – Shurmajee Oct 20 '20 at 06:12

0 Answers0