Andrew Bortz
Dan Boneh
ABSTRACT
We show that the time web sites take to respond to HTTP requests can leak private information, using two different types of attacks. The first, direct timing, directly measures response times from a web site to expose private information such as validity of an username at a secured site or the number of private photos in a publicly viewable gallery. The second, cross-site timing, enables a malicious web site to obtain information from the user's perspective at another site. For example, a malicious site can learn if the user is currently logged in at a victim site and, in some cases, the number of objects in the user's shopping cart. Our experiments suggest that these timing vulnerabilities are wide-spread. We explain in detail how and why these attacks work, and discuss methods for writing web application code that resists these attacks.
- Onur Aciicmez, Werner Schindler, and Cetin Koc. Improving Brumley and Boneh timing attack on unprotected SSL implementations. In Proceedings of the 12th ACM conference on Computer and communications security, 2005. Google Scholar
Digital Library
- C. Anley. Advanced SQL injection in SQL server applications, 2002. http://www.nextgenss.com/papers/advanced sql injection.pdf.Google Scholar
- Matt Blaze. Simple UNIX time quantization package. Previously available on the web.Google Scholar
- D. Boneh and D. Brumley. Remote timing attacks are practical. Journal of Computer Networks, 48(5):701--716, 2005. Extended abstract in Usenix Security 2003.Google ScholarCross Ref
- The CAPTCHA project. http://www.captcha.net.Google Scholar
- Edward W. Felten and Michael A. Schneider. Timing attacks on web privacy. In ACM Conference on Computer and Communications Security, pages 25--32, 2000. Google ScholarDigital Library
- Gallery. http://gallery.menalto.com/.Google Scholar
- Collin Jackson, Andrew Bortz, Dan Boneh, and John Mitchell. Protecting browser state from web privacy attacks. In Proceedings of the 15th ACM World Wide Web Conference (WWW 2006), 2006. Google ScholarDigital Library
- Markus Jakobsson. Modeling and preventing phishing attacks, 2005. http://www.informatics.indiana.edu/markus/papers/phishing_jakobsson.pdf.Google Scholar
- Paul Kocher. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. Advances in Cryptology, pages 104--113, 1996. Google Scholar
- Jesse Ruderman. The same origin policy, 2001. http://www.mozilla.org/projects/security/components/same-origin.html.Google Scholar
- Werner Schindler. A timing attack against RSA with the chinese remainder theorem. In CHES 2000, pages 109--124, 2000. Google ScholarDigital Library
- Werner Schindler. Optimized timing attacks against public key cryptosystems. Statistics and Decisions, 20:191--210, 2002.Google Scholar
- Chris Shiflett. Cross-site request forgeries, 2004. http://shiflett.org/articles/security-corner-dec2004.Google Scholar
- The cross-site scripting FAQ. http://www.cgisecurity.net/articles/xss-faq.shtml.Google Scholar
Index Terms
- Exposing private information by timing web applications
Recommendations
Protecting browser state from web privacy attacks
WWW '06: Proceedings of the 15th international conference on World Wide WebThrough a variety of means, including a range of browser cache methods and inspecting the color of a visited hyperlink, client-side browser state can be exploited to track users against their wishes. This tracking is possible because persistent, client-...
BogusBiter: A transparent protection against phishing attacks
Many anti-phishing mechanisms currently focus on helping users verify whether a Web site is genuine. However, usability studies have demonstrated that prevention-based approaches alone fail to effectively suppress phishing attacks and protect Internet ...
Securing web applications from injection and logic vulnerabilities
Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Comments