Web Application Timing Attacks: Exposing Private Information & Prevention
"Learn about timing attacks on web applications, how they work, and strategies for prevention. Explore direct and cross-site timing attacks, dealing with network noise, username enumeration, and estimating hidden data sizes."
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Exposing Private Information by Timing Web Applications Stephen Kleinheider
Agenda Introduction to Timing Attacks Direct Timing Attacks Dealing with Network Noise/Jitter Username Enumeration Counting Number of Private Albums in a Gallery Cross-Site Timing Attacks Techniques and Issues Test if User is Logged in Counting Number of Items in User s Shopping Cart
Introduction to Timing Attacks In general, timing attacks on web applications measure time browser takes to load a given page By performing a lot of requests, possible to obtain private information by measuring and comparing response times Prevention is possible, but often ignored by web developers Two main types: Direct Timing Attacks Cross-Site Timing Attacks
Direct Timing Attacks Measures the time web site takes to respond to HTTP requests Custom program to get very accurate timing data (sub- millisecond) Problems: Dealing with network noise/jitter Example 1: Testing for Boolean Values Username Enumeration Example 2: Estimating the Size of Hidden Data Counting Number of Private Albums in a Gallery
Dealing with Network Noise/Jitter Varying network conditions Long delays, packet loss Server Load Server handling a great number of requests concurrently Solution: Statistical analysis of test data to determine jitter Calculate real data taking into account jitter from test data
Username Enumeration Useful for phishing attacks Especially when usernames are email addresses Bad Good Possible to use direct timing attacks for username enumeration
Estimating the Size of Hidden Data Timing attacks used to find data sets hidden from certain users How it works: When displaying data sets, many web applications loop over all data before returning and displaying the applicable data Possible to calculate timing data with strong correlation to number of items Example: Photo Gallery Blog Some albums have specific permissions per person Private albums only seen by creator Develop timing attack to count the number of private albums in a gallery
Counting Number of Hidden Albums Much more susceptible to noise Very small difference in response time Requires unusually fast network path to target
Cross-Site Timing Attacks Timing attacks which enable a malicious site to obtain information about the user s view of another site Able to time these CSRF attacks even if preventive measures exist Can be used to test if other CSRF attacks worked Harder to use than direct timing attacks Example 1: Testing for Boolean Values Test if User is Logged in Example 2: Estimating the Size of Hidden Data Counting Number of Items in User s Shopping Cart
Cross-Site Timing Techniques JavaScript: script is allowed to learn when and whether embedded content loads Images are an effective method to timing IMG tags can be used to time any web-accessible url Technique: use invisible image and JavaScript to take several timing samples Reponses timed via onerror handler
Issues with Cross-Site Timing Attacks No stable, known network configuration User could have any type of connection at almost any geographical location Absolute timing comparison not useful Solution: Two Sources Page whose computation time is dependent on hidden data Page which has as little dependency as possible on hidden data (Baseline)
Determining if a User is Logged in Two Sources: Test Page front page of website Reference Page Contact Us page Able to distinguish between four types of users: Never been to the site Been to the site but have never logged in Currently logged into site Have logged in sometime in past, but not currently logged in Users who are logged in get redirected > adding to request time
Estimating Size of Hidden Data Tremendous amount of countable data visible only to user Number of transactions on banking site Auctions at an auction site Emails at popular webmail site Search results Example: Counting Number of Items in User s Shopping Cart
Summary Timing attacks on web applications can expose private information Can be used for information gathering and as a first step for phishing attack Both types of timing attacks need to account for network noise/jitter Best Defense = ensure web server always takes a constant amount of time to process request
References http://crypto.stanford.edu/~dabo/papers/webtiming.pdf https://www.brendanlong.com/timing-attacks-and- usernames.html https://www1.informatik.uni-erlangen.de/side-channels https://www.usenix.org/legacy/event/sec03/tech/brumley/ brumley_html/ https://www.securitee.org/files/timing-attacks_ccs2015.pdf
