Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exposing Private Information by Timing Web Applications Stephen Kleinheider.

Published byAnissa Moody Modified over 8 years ago

Similar presentations

Presentation on theme: "Exposing Private Information by Timing Web Applications Stephen Kleinheider."— Presentation transcript:

1 Exposing Private Information by Timing Web Applications Stephen Kleinheider

2 Agenda Introduction to Timing Attacks Direct Timing Attacks – Dealing with Network Noise/Jitter – Username Enumeration – Counting Number of Private Albums in a Gallery Cross-Site Timing Attacks – Techniques and Issues – Test if User is Logged in – Counting Number of Items in User’s Shopping Cart

3 Introduction to Timing Attacks In general, timing attacks on web applications measure time browser takes to load a given page – By performing a lot of requests, possible to obtain private information by measuring and comparing response times Prevention is possible, but often ignored by web developers Two main types: – Direct Timing Attacks – Cross-Site Timing Attacks

4 Direct Timing Attacks Measures the time web site takes to respond to HTTP requests Custom program to get very accurate timing data (sub- millisecond) Problems: Dealing with network noise/jitter Example 1: Testing for Boolean Values – Username Enumeration Example 2: Estimating the Size of Hidden Data – Counting Number of Private Albums in a Gallery

5 Dealing with Network Noise/Jitter Varying network conditions – Long delays, packet loss Server Load – Server handling a great number of requests concurrently Solution: – Statistical analysis of test data to determine jitter – Calculate real data taking into account jitter from test data

6 Username Enumeration Useful for phishing attacks – Especially when usernames are email addresses Possible to use direct timing attacks for username enumeration BadGood

7 Username Enumeration

8

9 Estimating the Size of Hidden Data Timing attacks used to find data sets hidden from certain users How it works: – When displaying data sets, many web applications loop over all data before returning and displaying the applicable data – Possible to calculate timing data with strong correlation to number of items Example: Photo Gallery Blog – Some albums have specific permissions per person – “Private” albums only seen by creator – Develop timing attack to count the number of “private” albums in a gallery

10 Counting Number of Hidden Albums Much more susceptible to noise Very small difference in response time Requires unusually fast network path to target

11 Cross-Site Timing Attacks Timing attacks which enable a malicious site to obtain information about the user’s view of another site – Able to time these CSRF attacks even if preventive measures exist – Can be used to test if other CSRF attacks worked Harder to use than direct timing attacks Example 1: Testing for Boolean Values – Test if User is Logged in Example 2: Estimating the Size of Hidden Data – Counting Number of Items in User’s Shopping Cart

12 Cross-Site Timing Techniques JavaScript: script is allowed to learn when and whether embedded content loads Images are an effective method to timing IMG tags can be used to time any web-accessible url Technique: use invisible image and JavaScript to take several timing samples – Reponses timed via onerror handler

13 Cross-Site Timing Techniques

14 Issues with Cross-Site Timing Attacks No stable, known network configuration – User could have any type of connection at almost any geographical location – Absolute timing comparison not useful Solution: Two Sources – Page whose computation time is dependent on hidden data – Page which has as little dependency as possible on hidden data (Baseline)

15 Determining if a User is Logged in Two Sources: – Test Page – front page of website – Reference Page – “Contact Us” page Able to distinguish between four types of users: – Never been to the site – Been to the site but have never logged in – Currently logged into site – Have logged in sometime in past, but not currently logged in Users who are logged in get redirected –> adding to request time

16 Determining if a User is Logged in

17 Estimating Size of Hidden Data Tremendous amount of “countable” data visible only to user – Number of transactions on banking site – Auctions at an auction site – Emails at popular webmail site – Search results Example: Counting Number of Items in User’s Shopping Cart

18 Summary Timing attacks on web applications can expose private information Can be used for information gathering and as a first step for phishing attack Both types of timing attacks need to account for network noise/jitter Best Defense = ensure web server always takes a constant amount of time to process request

19 References http://crypto.stanford.edu/~dabo/papers/webtiming.pdf https://www.brendanlong.com/timing-attacks-and- usernames.html https://www.brendanlong.com/timing-attacks-and- usernames.html https://www1.informatik.uni-erlangen.de/side-channels https://www.usenix.org/legacy/event/sec03/tech/brumley/ brumley_html/ https://www.usenix.org/legacy/event/sec03/tech/brumley/ brumley_html/ https://www.securitee.org/files/timing-attacks_ccs2015.pdf

Download ppt "Exposing Private Information by Timing Web Applications Stephen Kleinheider."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
An Overview of Database Access on the Web An Overview of Database Access on the Web Using ASP and Microsoft Database Technology Sheffield Hallam University.

An Overview of Database Access on the Web An Overview of Database Access on the Web Using ASP and Microsoft Database Technology Sheffield Hallam University.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Signatures As Threats to Privacy Brian Neil Levine Assistant Professor Dept. of Computer Science UMass Amherst.

Signatures As Threats to Privacy Brian Neil Levine Assistant Professor Dept. of Computer Science UMass Amherst.
Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.

Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.
Server-side Scripting Powering the webs favourite services.

Server-side Scripting Powering the webs favourite services.
Drive Customer Satisfaction. Cut Costs. Improve Efficiencies. Oracle i Support Chris Kirby Senior Sales Consultant Oracle.

Drive Customer Satisfaction. Cut Costs. Improve Efficiencies. Oracle i Support Chris Kirby Senior Sales Consultant Oracle.
XHTML Introductory1 Forms Chapter 7. XHTML Introductory2 Objectives In this chapter, you will: Study elements Learn about input fields Use the element.

XHTML Introductory1 Forms Chapter 7. XHTML Introductory2 Objectives In this chapter, you will: Study elements Learn about input fields Use the element.
About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.

About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.
Being Ecommerce Sophon Thanasrivilai #100485

Being Ecommerce Sophon Thanasrivilai #100485
DNN Performance & Scalability Planning, Evaluating & Improving : Part 1.

DNN Performance & Scalability Planning, Evaluating & Improving : Part 1.
Badvertisements: Stealthy Click-Fraud with Unwitting Accessories Mona Gandhi Markus Jakobsson Jacob Ratkiewicz Indiana University at Bloomington Presented.

Badvertisements: Stealthy Click-Fraud with Unwitting Accessories Mona Gandhi Markus Jakobsson Jacob Ratkiewicz Indiana University at Bloomington Presented.

Similar presentations

Ads by Google