Researchers have long known that they can gain hidden insights into the inner workings of a website by measuring the time it takes for different requests to be fulfilled and extrapolating information (and potential weaknesses) from small variations. These “web timing attacks” have been described for years, but would often be too complex for real-world attackers to use in practice, even if they worked in theory. However, at the Black Hat security conference in Las Vegas this week, one researcher warned that Web timing attacks are actually feasible and ripe for exploitation.
James Kettle, director of research at web application security firm PortSwigger, developed a set of web timing attack techniques that can be used to expose three different categories of vulnerabilities in websites. He validated the methods using a test environment he created that collected 30,000 real websites, all of which offer bug bounty programs. He says the goal of the work is to demonstrate that once someone has a conceptual understanding of the types of information that web timing attacks can provide, exploiting them becomes more feasible.
“I’ve always avoided researching timing attacks because it’s a topic with a reputation,” Kettle says. “Everyone is researching the topic and saying their research is practical, but no one seems to actually use timing attacks in real life, so how practical is it? What I hope this work does is show people that this actually works today and get them thinking about it.”
Kettle was inspired in part by the 2020 research paper titled “Timeless time attacks”, which worked to find a solution to a common problem. Known as “network jitter,” the paper’s moniker refers to time delays between sending and receiving a signal on a network. These fluctuations affect timing measurements, but are independent of the web server processing measured for timing attacks, so they can distort readings. However, research from 2020 noted that by sending requests over the ubiquitous HTTP/2 network protocol, it is possible to put two requests into a single TCP communication packet so that you know that both requests arrived at the server at the same time. Then, because of how HTTP/2 is designed, the responses will come back in an order so that the one that took the least amount of time to process is the first and the one that took the longest is the second. This provides objective and reliable information about the time on the system without requiring any additional knowledge of the target web server – hence “timeless timing attacks.”
Web timing attacks are part of a class of attacks known as “side channels,” in which an attacker gathers information about a target based on its real-world physical properties. In his new work, Kettle refined the “timeless timing attacks” technique to reduce network noise, and also took steps to address similar types of issues with server-related noise to make his measurements more accurate and reliable. He then began using timing attacks to look for coding errors and invisible flaws on websites that are typically hard for developers or malicious actors to find but that stand out in the information leaked with timing measurements.
In addition to using timing attacks to find hidden footholds to attack, Kettle also developed effective techniques for detecting two other common types of exploitable web bugs. One, known as a server-side injection vulnerability, allows an attacker to introduce malicious code to send commands and access data that shouldn’t be available. And the other, called misconfigured reverse proxies, allows unwanted access to a system.
In his presentation at Black Hat on Wednesday, Kettle demonstrated how he could use a web timing attack to discover a misconfiguration and ultimately bypass a target web application firewall.
“Once you find this reverse proxy misconfiguration, you simply have to bypass the firewall,” he told WIRED ahead of his talk. “It’s absolutely trivial to execute once you find these remote proxies, and timing attacks are good at finding these issues.”
Along with his talk, Kettle released a feature for the open source vulnerability scanning tool known as Parameter MinerThe tool is an extension of the popular Burp Suite web application security assessment platform, developed by PortSwigger, the company Kettle works for. Kettle hopes to raise awareness of the usefulness of web timing attacks, but also wants to ensure that the techniques are used for defense even when people don’t understand the underlying concepts.
“I built all these new features into Param Miner so that people who don’t know anything about this can run this tool and find some of these vulnerabilities,” Kettle says. “It shows people things they would have otherwise missed.”