Researchers have long known that they can glean hidden information about the inner workings of a website by measuring the time it takes for various requests to be fulfilled and inferring information and potential weaknesses from slight differences. Such “web timing attacks” have been described for years, but while they work in theory, they are often too complicated to be put to practical use by real-world attackers. But at the Black Hat security conference in Las Vegas this week, one researcher warned that web timing attacks are indeed feasible and likely to be exploited in the wild.
James Kettle, director of research at web application security company PortSwigger, developed a set of web timing attack techniques that can be used to expose vulnerabilities in three different categories of websites. He tested the techniques using a test environment compiled of 30,000 real-world websites that offer bug bounty programs. The goal of the research, he said, is to show that having a conceptual understanding of the type of information that can be delivered in a web timing attack makes the attack more feasible.
“I’ve always avoided researching timing attacks because it’s a popular topic,” Kettle says. “Everyone does the research and says the research is practical, but no one seems to actually use timing attacks in real life. So how practical is it? I hope this research will show people that this kind of thing actually works today and get them thinking.”
Kettle was inspired in part by a 2020 research paper called “Timeless Timing Attacks,” which sought to solve a general problem. Known as “network jitter,” the paper’s name refers to the time delay between when a signal is sent and when it is received on a network. These variations affect timing measurements, but are unrelated to the web server processing that the timing attack measures, and can therefore skew the measurements. However, the 2020 study noted that when sending requests over the ubiquitous HTTP/2 network protocol, two requests can be bundled together into a single TCP communication packet, so that both requests appear to have arrived at the server at the same time. HTTP/2’s design then ensures that responses are returned in an ordered order, with the response that took the shortest time to process coming first and the response that took the longest time coming second. This provides reliable, objective information about the timing of a system without requiring any additional knowledge of the target web server. This is the “Timeless Timing Attack.”
Web timing attacks are a type of hacking known as a “side channel,” in which attackers gather information about their targets based on real-world physical properties. In his new research, Kettle refined his “timeless timing attack” technique for reducing network noise and also addressed similar issues with server-related noise to make his measurements more accurate and reliable. Kettle then began using timing attacks to look for normally invisible coding errors and website flaws that would normally be hard for developers or bad actors to find, but that are revealed by the information leaked in timing measurements.
In addition to using timing attacks to find hidden footholds for attacks, Kettle has also developed effective techniques to detect two other common exploitable web bugs: server-side injection vulnerabilities, which allow attackers to introduce malicious code to send commands and access data they should not be able to access, and misconfigured reverse proxies, which allow unintended access to systems.
During his presentation at Black Hat on Wednesday, Kettle demonstrated how a web timing attack can be used to uncover misconfigurations and ultimately circumvent a target’s web application firewall.
“Once you find these reverse proxy misconfigurations, you just bypass the firewall,” he told WIRED before his talk. “Once you find these remote proxies, it’s totally easy to do. Timing attacks are great for finding these issues.”
Alongside his talk, Kettle unveiled the capabilities of an open-source vulnerability scanning tool called Param Miner, which is an extension to Burp Suite, a popular web application security assessment platform developed by Kettle’s employer, PortSwigger. Kettle hopes to raise awareness about the usefulness of web timing attacks, but also to ensure that people can use the technique for defense, even if they don’t understand the basic concepts.
“I’ve integrated all of these new features into Param Miner so that even people who don’t know anything about the tool can run it and find some of these vulnerabilities,” Kettle says. “The tool is showing people things they would have missed otherwise.”
