Unveiling Hidden Vulnerabilities: The Power of Web Timing Attacks
For years, researchers have understood the potential of web timing attacks to reveal crucial information about a website’s inner workings. These subtle variations in response times can unveil vulnerabilities that would otherwise remain hidden. While the concept of web timing attacks has been known for some time, their practical application has been limited. However, at the recent Black Hat security conference in Las Vegas, researcher James Kettle shed light on the fact that web timing attacks are not just theoretical—they are now feasible and ready for exploitation.
Kettle, the director of research at PortSwigger, a web application security company, has developed a series of techniques for conducting web timing attacks. He conducted validation tests on a diverse range of websites, all of which offer bug bounty programs. The primary objective of his work is to demonstrate that understanding the potential of web timing attacks can enable individuals to effectively leverage them for various purposes.
Inspired by a 2020 research paper titled “Timeless Timing Attacks,” Kettle refined existing techniques to reduce network noise and address server-related issues that could impact the accuracy of measurements. By leveraging the HTTP/2 network protocol, he was able to develop “timeless timing attacks” that provide reliable insights into a target’s vulnerability without requiring in-depth knowledge of the web server.
Web timing attacks fall under the category of “side channel” hacks, where attackers gather real-world information to exploit vulnerabilities in a target system. Kettle’s work not only focuses on identifying hidden coding errors but also detecting server-side injection vulnerabilities and misconfigured reverse proxies that can facilitate unauthorized access to systems.
During his presentation at Black Hat, Kettle showcased how a web timing attack could expose a misconfiguration, enabling him to bypass a web application firewall effortlessly. His work is not only about uncovering vulnerabilities but also about empowering individuals to defend against potential attacks by integrating these techniques into cybersecurity tools like Param Miner.
Param Miner, an extension for the Burp Suite web application security assessment platform, incorporates Kettle’s advancements in web timing attacks. By making these tools accessible to a wider audience, Kettle aims to raise awareness about the importance of understanding and utilizing web timing attacks for proactive defense.