Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exposing Private Information by Timing Web Applications

Published byDaniel Kaguongo Modified over 4 years ago

Similar presentations

Presentation on theme: "Exposing Private Information by Timing Web Applications "— Presentation transcript:

1 Exposing Private Information by Timing Web Applications Stephen Kleinheider

2 Agenda Introduction to Timing Attacks Direct Timing Attacks – Dealing with Network Noise/Jitter – Username Enumeration – Counting Number of Private Albums in a Gallery Cross-Site Timing Attacks – Techniques and Issues – Test if User is Logged in – Counting Number of Items in User’s Shopping Cart

3 Introduction to Timing Attacks In general, timing attacks on web applications measure time browser takes to load a given page – By performing a lot of requests, possible to obtain private information by measuring and comparing response times Prevention is possible, but often ignored by web developers Two main types: – Direct Timing Attacks – Cross-Site Timing Attacks

4 Direct Timing Attacks Measures the time web site takes to respond to HTTP requests Custom program to get very accurate timing data (sub- millisecond) Problems: Dealing with network noise/jitter Example 1: Testing for Boolean Values – Username Enumeration Example 2: Estimating the Size of Hidden Data – Counting Number of Private Albums in a Gallery

5 Dealing with Network Noise/Jitter Varying network conditions – Long delays, packet loss Server Load – Server handling a great number of requests concurrently Solution: – Statistical analysis of test data to determine jitter – Calculate real data taking into account jitter from test data

6 Username Enumeration Useful for phishing attacks – Especially when usernames are email addresses Possible to use direct timing attacks for username enumeration BadGood

7 Username Enumeration

8

9 Estimating the Size of Hidden Data Timing attacks used to find data sets hidden from certain users How it works: – When displaying data sets, many web applications loop over all data before returning and displaying the applicable data – Possible to calculate timing data with strong correlation to number of items Example: Photo Gallery Blog – Some albums have specific permissions per person – “Private” albums only seen by creator – Develop timing attack to count the number of “private” albums in a gallery

10 Counting Number of Hidden Albums Much more susceptible to noise Very small difference in response time Requires unusually fast network path to target

11 Cross-Site Timing Attacks Timing attacks which enable a malicious site to obtain information about the user’s view of another site – Able to time these CSRF attacks even if preventive measures exist – Can be used to test if other CSRF attacks worked Harder to use than direct timing attacks Example 1: Testing for Boolean Values – Test if User is Logged in Example 2: Estimating the Size of Hidden Data – Counting Number of Items in User’s Shopping Cart

12 Cross-Site Timing Techniques JavaScript: script is allowed to learn when and whether embedded content loads Images are an effective method to timing IMG tags can be used to time any web-accessible url Technique: use invisible image and JavaScript to take several timing samples – Reponses timed via onerror handler

13 Cross-Site Timing Techniques

14 Issues with Cross-Site Timing Attacks No stable, known network configuration – User could have any type of connection at almost any geographical location – Absolute timing comparison not useful Solution: Two Sources – Page whose computation time is dependent on hidden data – Page which has as little dependency as possible on hidden data (Baseline)

15 Determining if a User is Logged in Two Sources: – Test Page – front page of website – Reference Page – “Contact Us” page Able to distinguish between four types of users: – Never been to the site – Been to the site but have never logged in – Currently logged into site – Have logged in sometime in past, but not currently logged in Users who are logged in get redirected –> adding to request time

16 Determining if a User is Logged in

17 Estimating Size of Hidden Data Tremendous amount of “countable” data visible only to user – Number of transactions on banking site – Auctions at an auction site – Emails at popular webmail site – Search results Example: Counting Number of Items in User’s Shopping Cart

18 Summary Timing attacks on web applications can expose private information Can be used for information gathering and as a first step for phishing attack Both types of timing attacks need to account for network noise/jitter Best Defense = ensure web server always takes a constant amount of time to process request

19 References http://crypto.stanford.edu/~dabo/papers/webtiming.pdf https://www.brendanlong.com/timing-attacks-and- usernames.html https://www.brendanlong.com/timing-attacks-and- usernames.html https://www1.informatik.uni-erlangen.de/side-channels https://www.usenix.org/legacy/event/sec03/tech/brumley/ brumley_html/ https://www.usenix.org/legacy/event/sec03/tech/brumley/ brumley_html/ https://www.securitee.org/files/timing-attacks_ccs2015.pdf

Download ppt "Exposing Private Information by Timing Web Applications "

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
An Overview of Database Access on the Web An Overview of Database Access on the Web Using ASP and Microsoft Database Technology Sheffield Hallam University.

An Overview of Database Access on the Web An Overview of Database Access on the Web Using ASP and Microsoft Database Technology Sheffield Hallam University.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Signatures As Threats to Privacy Brian Neil Levine Assistant Professor Dept. of Computer Science UMass Amherst.

Signatures As Threats to Privacy Brian Neil Levine Assistant Professor Dept. of Computer Science UMass Amherst.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Drive Customer Satisfaction. Cut Costs. Improve Efficiencies. Oracle i Support Chris Kirby Senior Sales Consultant Oracle.

Drive Customer Satisfaction. Cut Costs. Improve Efficiencies. Oracle i Support Chris Kirby Senior Sales Consultant Oracle.
About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.

About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.
XHTML Introductory1 Linking and Publishing Basic Web Pages Chapter 3.

XHTML Introductory1 Linking and Publishing Basic Web Pages Chapter 3.
5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.

5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.
Lecture # 6 Forms, Widgets and Event Handling. Today Questions: From notes/reading/life? Share Personal Web Page (if not too personal) 1.Introduce: How.

Lecture # 6 Forms, Widgets and Event Handling. Today Questions: From notes/reading/life? Share Personal Web Page (if not too personal) 1.Introduce: How.
Database-Driven Web Sites, Second Edition1 Chapter 5 WEB SERVERS.

Database-Driven Web Sites, Second Edition1 Chapter 5 WEB SERVERS.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.

COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
Web Engineering we define Web Engineering as follows: 1) Web Engineering is the application of systematic and proven approaches (concepts, methods, techniques,

Web Engineering we define Web Engineering as follows: 1) Web Engineering is the application of systematic and proven approaches (concepts, methods, techniques,
Web Application Security ECE 4112. ECE 4112 - Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Similar presentations

Ads by Google