Abstract: Due to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the members of security community worldwide. In the same way, a plethora of more or less effective defense techniques have been proposed, addressing both causes and effects of XSS vulnerabilities. As a result, an adversary often can no longer inject or even execute arbitrary scripting code in several real-life scenarios. In this article, we examine an attack surface that remains after XSS and similar scripting attacks are supposedly mitigated by preventing an attacker from executing JavaScript code. We address the question of whether an attacker really needs to execute JavaScript or similar functionality to perform attacks aiming for information theft. The surprising result is that an attacker can abuse Cascading Style Sheets (CSS) in combination with other Web techniques like plain HTML, inactive SVG images, or font files. Having employed several case studies, we discuss so called scriptless attacks and demonstrate that an adversary might not need to execute code to preserve his ability to extract sensitive information from well-protected websites. More precisely, we show that an attacker can use seemingly benign features to build side-channel attacks that measure and exfiltrate almost arbitrary data displayed on a given webpage. We conclude this article with a discussion of potential mitigation techniques against this class of attacks. In addition, we have implemented a browser patch that enables a website to make a vital determination as to being loaded in a detached view or a pop-up window. This approach proves useful for prevention of certain types of attacks we here discuss.
Keywords: Web security, cross-site scripting, information leakage, browser security, cake and pastries, scriptless attacks
