Skip to content

RIP is required for client-side inflation error side-channel mitigation#182

Open
Pedro-Bernardo wants to merge 1 commit intoxsleaks:masterfrom
Pedro-Bernardo:patch-4
Open

RIP is required for client-side inflation error side-channel mitigation#182
Pedro-Bernardo wants to merge 1 commit intoxsleaks:masterfrom
Pedro-Bernardo:patch-4

Conversation

@Pedro-Bernardo
Copy link

@Pedro-Bernardo Pedro-Bernardo commented Apr 21, 2025

It is possible to detect redirections using fetch with the same technique as presented in "client-side inflation errors."

Example:
await fetch("https://target.com/redir#<BIG-fragment>", {method: 'GET', mode :'no-cors', credentials: 'include'});

If the server redirects to an endpoint bigger than /redir when there is a cookie attached to the request, the first request succeeds, but the second request (redirection) will raise an exception which can be observed. Provided that length(URL + #<BIG-fragment>) = (URL size limit - 1)

Works on Chrome (2MB URL size limit) and Firefox (1MB URL size limit).

These requests are rejected by the RIP.

@Pedro-Bernardo
RIP is required for client-side inflation error side-channel mitigation
4b5de12 
It is possible to detect redirections using fetch using the same technique of client-side inflation errors.

For example, on Chrome:
`await fetch(`https://bank.com/redir#<BIG-fragment>`, {method: 'GET', mode :'no-cors', credentials: 'include'});`

The server redirects to `/bigger` based on a cookie which is included in the fetch request. The first request succeeds, but the second request (redirection) will raise an exception which an attacker can observe.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Pedro-Bernardo