SlideShare a Scribd company logo

Timing attacks against web applications: Are they still practical?

DefCamp
DefCamp
DefCampDefCamp

Ivan Petrov in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The videos and other presentations can be found on https://def.camp/archive

Timing attacks against web applications: Are they still practical?

1 of 29
Download to read offline
Timing attacks against web applications:
Are they still practical? 09.11.2018
Ivan Petrov
Penetration tester
Timing attacks against web applications:
Are they still practical?
- What is a timing attack?
- What was our plan?
- What did we do differently?
- What did we achieve?
- How practical are timing attacks (over the internet)?
- Who are subjects to an attack?
- What is an acceptable solution?
2/29
What is a timing attack?
Basic string comparison in PHP
3/29
What is a timing attack?
is_identical_function()
4/29
What is a timing attack?
memcmp()
5/29
What is a timing attack?
2 5 6 c d
21 ns 16 ns 19 ns
2 5 6 e
18 ns 20 ns
Key:
256c27ad3cd09366e9884a8c93747900
…
Total execution time: 95 ns
Total execution time: 80 ns
17 ns
22 ns
22 ns
…
20 ns
6/29

Recommended

Network Time Synchronization
Network Time SynchronizationNetwork Time Synchronization
Network Time SynchronizationBen Rothke
 
Introduction to Scheduling
Introduction to SchedulingIntroduction to Scheduling
Introduction to Schedulingpec2013
 
Operating System - FCFS and Priority Scheduling Algorithm and Code
Operating System - FCFS and Priority Scheduling Algorithm and Code Operating System - FCFS and Priority Scheduling Algorithm and Code
Operating System - FCFS and Priority Scheduling Algorithm and Code Tamir Azrab
 
Where is my MQ message on z/OS?
Where is my MQ message on z/OS?Where is my MQ message on z/OS?
Where is my MQ message on z/OS?Matt Leming
 
Отчет Audit report RAPID7
 Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7Sergey Yrievich
 
5th KuVS Meeting
5th KuVS Meeting5th KuVS Meeting
5th KuVS Meetingsteccami
 

More Related Content

Similar to Timing attacks against web applications: Are they still practical?

Network time protocol
Network time protocolNetwork time protocol
Network time protocolMohd Amir
 
HHM-2833: Where is My Message?: Using IBM MQ Tools to Work Out What Applicati...
HHM-2833: Where is My Message?: Using IBM MQ Tools to Work Out What Applicati...HHM-2833: Where is My Message?: Using IBM MQ Tools to Work Out What Applicati...
HHM-2833: Where is My Message?: Using IBM MQ Tools to Work Out What Applicati...Matt Leming
 
Uber mobility - High Performance Networking
Uber mobility - High Performance NetworkingUber mobility - High Performance Networking
Uber mobility - High Performance NetworkingDhaval Patel
 
Reconsider TCPdump for Modern Troubleshooting
Reconsider TCPdump for Modern TroubleshootingReconsider TCPdump for Modern Troubleshooting
Reconsider TCPdump for Modern TroubleshootingAvi Networks
 
Cloud network management model a novel approach to manage cloud traffic
Cloud network management model   a novel approach to manage cloud trafficCloud network management model   a novel approach to manage cloud traffic
Cloud network management model a novel approach to manage cloud trafficijccsa
 
Pre-Con Education: Recognizing Your Network's Key Performance Indicators Th...
Pre-Con Education: Recognizing Your Network's Key Performance Indicators Th...Pre-Con Education: Recognizing Your Network's Key Performance Indicators Th...
Pre-Con Education: Recognizing Your Network's Key Performance Indicators Th...CA Technologies
 
Zero Downtime JEE Architectures
Zero Downtime JEE ArchitecturesZero Downtime JEE Architectures
Zero Downtime JEE ArchitecturesAlexander Penev
 
NON-INTRUSIVE REMOTE MONITORING OF SERVICES IN A DATA CENTRE
NON-INTRUSIVE REMOTE MONITORING OF SERVICES IN A DATA CENTRENON-INTRUSIVE REMOTE MONITORING OF SERVICES IN A DATA CENTRE
NON-INTRUSIVE REMOTE MONITORING OF SERVICES IN A DATA CENTREcscpconf
 
SAND: A Fault-Tolerant Streaming Architecture for Network Traffic Analytics
SAND: A Fault-Tolerant Streaming Architecture for Network Traffic AnalyticsSAND: A Fault-Tolerant Streaming Architecture for Network Traffic Analytics
SAND: A Fault-Tolerant Streaming Architecture for Network Traffic AnalyticsQin Liu
 
Network visibility and control using industry standard sFlow telemetry
Network visibility and control using industry standard sFlow telemetryNetwork visibility and control using industry standard sFlow telemetry
Network visibility and control using industry standard sFlow telemetrypphaal
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.pptAssadLeo1
 
Using redmine as a sla ticketing system, helpdesk or service desk software
Using redmine as a sla ticketing system, helpdesk or service desk softwareUsing redmine as a sla ticketing system, helpdesk or service desk software
Using redmine as a sla ticketing system, helpdesk or service desk softwareAleksandar Pavic
 
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA   New Questions 29Tuts.Com New CCNA 200-120 New CCNA   New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2Lori Head
 
A Modern Approach to Performance Monitoring
A Modern Approach to Performance MonitoringA Modern Approach to Performance Monitoring
A Modern Approach to Performance MonitoringCliff Crocker
 
Continuous Performance Testing
Continuous Performance TestingContinuous Performance Testing
Continuous Performance TestingC4Media
 

Similar to Timing attacks against web applications: Are they still practical? (20)

Network time protocol
Network time protocolNetwork time protocol
Network time protocol
 
Cerita
CeritaCerita
Cerita
 
HHM-2833: Where is My Message?: Using IBM MQ Tools to Work Out What Applicati...
HHM-2833: Where is My Message?: Using IBM MQ Tools to Work Out What Applicati...HHM-2833: Where is My Message?: Using IBM MQ Tools to Work Out What Applicati...
HHM-2833: Where is My Message?: Using IBM MQ Tools to Work Out What Applicati...
 
Uber mobility - High Performance Networking
Uber mobility - High Performance NetworkingUber mobility - High Performance Networking
Uber mobility - High Performance Networking
 
Reconsider TCPdump for Modern Troubleshooting
Reconsider TCPdump for Modern TroubleshootingReconsider TCPdump for Modern Troubleshooting
Reconsider TCPdump for Modern Troubleshooting
 
SFMap (TMA 2015)
SFMap (TMA 2015)SFMap (TMA 2015)
SFMap (TMA 2015)
 
Cloud network management model a novel approach to manage cloud traffic
Cloud network management model   a novel approach to manage cloud trafficCloud network management model   a novel approach to manage cloud traffic
Cloud network management model a novel approach to manage cloud traffic
 
Pre-Con Education: Recognizing Your Network's Key Performance Indicators Th...
Pre-Con Education: Recognizing Your Network's Key Performance Indicators Th...Pre-Con Education: Recognizing Your Network's Key Performance Indicators Th...
Pre-Con Education: Recognizing Your Network's Key Performance Indicators Th...
 
Zero Downtime JEE Architectures
Zero Downtime JEE ArchitecturesZero Downtime JEE Architectures
Zero Downtime JEE Architectures
 
NON-INTRUSIVE REMOTE MONITORING OF SERVICES IN A DATA CENTRE
NON-INTRUSIVE REMOTE MONITORING OF SERVICES IN A DATA CENTRENON-INTRUSIVE REMOTE MONITORING OF SERVICES IN A DATA CENTRE
NON-INTRUSIVE REMOTE MONITORING OF SERVICES IN A DATA CENTRE
 
Code Crime Scene
Code Crime SceneCode Crime Scene
Code Crime Scene
 
SAND: A Fault-Tolerant Streaming Architecture for Network Traffic Analytics
SAND: A Fault-Tolerant Streaming Architecture for Network Traffic AnalyticsSAND: A Fault-Tolerant Streaming Architecture for Network Traffic Analytics
SAND: A Fault-Tolerant Streaming Architecture for Network Traffic Analytics
 
Network visibility and control using industry standard sFlow telemetry
Network visibility and control using industry standard sFlow telemetryNetwork visibility and control using industry standard sFlow telemetry
Network visibility and control using industry standard sFlow telemetry
 
Banv
BanvBanv
Banv
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.ppt
 
Using redmine as a sla ticketing system, helpdesk or service desk software
Using redmine as a sla ticketing system, helpdesk or service desk softwareUsing redmine as a sla ticketing system, helpdesk or service desk software
Using redmine as a sla ticketing system, helpdesk or service desk software
 
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA   New Questions 29Tuts.Com New CCNA 200-120 New CCNA   New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
 
CCNA 200-120 Exam Questions
CCNA 200-120 Exam QuestionsCCNA 200-120 Exam Questions
CCNA 200-120 Exam Questions
 
A Modern Approach to Performance Monitoring
A Modern Approach to Performance MonitoringA Modern Approach to Performance Monitoring
A Modern Approach to Performance Monitoring
 
Continuous Performance Testing
Continuous Performance TestingContinuous Performance Testing
Continuous Performance Testing
 

More from DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)DefCamp
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFADefCamp
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationDefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money downDefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochDefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareDefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber SecurityDefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering holeDefCamp
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkDefCamp
 

More from DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 

Recently uploaded

Azure Migration Guide for IT Professionals
Azure Migration Guide for IT ProfessionalsAzure Migration Guide for IT Professionals
Azure Migration Guide for IT ProfessionalsChristine Shepherd
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Adrian Sanabria
 
2) Presentation_Overview_ISO_16140-3_Method_verification_20210322.pptx
2) Presentation_Overview_ISO_16140-3_Method_verification_20210322.pptx2) Presentation_Overview_ISO_16140-3_Method_verification_20210322.pptx
2) Presentation_Overview_ISO_16140-3_Method_verification_20210322.pptxssuser796efb
 
Bluetooth Low Energy(BLE) and beacons working
Bluetooth Low Energy(BLE) and beacons workingBluetooth Low Energy(BLE) and beacons working
Bluetooth Low Energy(BLE) and beacons workingshrey Ansh
 
zigbee motion sensor user manual NAS-PD07B2.pdf
zigbee motion sensor user manual NAS-PD07B2.pdfzigbee motion sensor user manual NAS-PD07B2.pdf
zigbee motion sensor user manual NAS-PD07B2.pdfDomotica daVinci
 
Dynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringDynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringMassimo Talia
 
Power of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfPower of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfkatalinjordans1
 
AUGMENTED REALITY (AR) IN DAILY LIFE: EXPANDING BEYOND GAMING
AUGMENTED REALITY (AR) IN DAILY LIFE: EXPANDING BEYOND GAMINGAUGMENTED REALITY (AR) IN DAILY LIFE: EXPANDING BEYOND GAMING
AUGMENTED REALITY (AR) IN DAILY LIFE: EXPANDING BEYOND GAMINGLiveplex
 
Tete thermostatique Zigbee MOES BRT-100 V2.pdf
Tete thermostatique Zigbee MOES BRT-100 V2.pdfTete thermostatique Zigbee MOES BRT-100 V2.pdf
Tete thermostatique Zigbee MOES BRT-100 V2.pdfDomotica daVinci
 
2024 February Patch Tuesday
2024 February Patch Tuesday2024 February Patch Tuesday
2024 February Patch TuesdayIvanti
 
Heltun_HE-RS01_User_Manual_B9AH.pdf
Heltun_HE-RS01_User_Manual_B9AH.pdfHeltun_HE-RS01_User_Manual_B9AH.pdf
Heltun_HE-RS01_User_Manual_B9AH.pdfMarielaL5
 
Q1 Memory Fabric Forum: XConn CXL Switches for AI
Q1 Memory Fabric Forum: XConn CXL Switches for AIQ1 Memory Fabric Forum: XConn CXL Switches for AI
Q1 Memory Fabric Forum: XConn CXL Switches for AIMemory Fabric Forum
 
Q1 Memory Fabric Forum: SMART CXL Product Lineup
Q1 Memory Fabric Forum: SMART CXL Product LineupQ1 Memory Fabric Forum: SMART CXL Product Lineup
Q1 Memory Fabric Forum: SMART CXL Product LineupMemory Fabric Forum
 
OTel Orientation_ How to Train Teams (OTel in Practice).pdf
OTel Orientation_ How to Train Teams (OTel in Practice).pdfOTel Orientation_ How to Train Teams (OTel in Practice).pdf
OTel Orientation_ How to Train Teams (OTel in Practice).pdfPaige Cruz
 
Evolution of Chatbots: From Custom AI Chatbots and AI Chatbots for Websites.pptx
Evolution of Chatbots: From Custom AI Chatbots and AI Chatbots for Websites.pptxEvolution of Chatbots: From Custom AI Chatbots and AI Chatbots for Websites.pptx
Evolution of Chatbots: From Custom AI Chatbots and AI Chatbots for Websites.pptxKyle Willson
 
Journey of Television in World & in India
Journey of Television in World & in IndiaJourney of Television in World & in India
Journey of Television in World & in IndiaAdarshAgarwal66
 
Enhancing SaaS Performance: A Hands-on Workshop for Partners
Enhancing SaaS Performance: A Hands-on Workshop for PartnersEnhancing SaaS Performance: A Hands-on Workshop for Partners
Enhancing SaaS Performance: A Hands-on Workshop for PartnersThousandEyes
 
Quinto Z-Wave Heltun_HE-RS01_User_Manual_B9AH.pdf
Quinto Z-Wave Heltun_HE-RS01_User_Manual_B9AH.pdfQuinto Z-Wave Heltun_HE-RS01_User_Manual_B9AH.pdf
Quinto Z-Wave Heltun_HE-RS01_User_Manual_B9AH.pdfDomotica daVinci
 
My sample product research idea for you!
My sample product research idea for you!My sample product research idea for you!
My sample product research idea for you!KivenRaySarsaba
 

Recently uploaded (20)

Azure Migration Guide for IT Professionals
Azure Migration Guide for IT ProfessionalsAzure Migration Guide for IT Professionals
Azure Migration Guide for IT Professionals
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
 
2) Presentation_Overview_ISO_16140-3_Method_verification_20210322.pptx
2) Presentation_Overview_ISO_16140-3_Method_verification_20210322.pptx2) Presentation_Overview_ISO_16140-3_Method_verification_20210322.pptx
2) Presentation_Overview_ISO_16140-3_Method_verification_20210322.pptx
 
Bluetooth Low Energy(BLE) and beacons working
Bluetooth Low Energy(BLE) and beacons workingBluetooth Low Energy(BLE) and beacons working
Bluetooth Low Energy(BLE) and beacons working
 
zigbee motion sensor user manual NAS-PD07B2.pdf
zigbee motion sensor user manual NAS-PD07B2.pdfzigbee motion sensor user manual NAS-PD07B2.pdf
zigbee motion sensor user manual NAS-PD07B2.pdf
 
Dynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringDynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineering
 
Power of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdfPower of 2024 - WITforce Odyssey.pptx.pdf
Power of 2024 - WITforce Odyssey.pptx.pdf
 
AUGMENTED REALITY (AR) IN DAILY LIFE: EXPANDING BEYOND GAMING
AUGMENTED REALITY (AR) IN DAILY LIFE: EXPANDING BEYOND GAMINGAUGMENTED REALITY (AR) IN DAILY LIFE: EXPANDING BEYOND GAMING
AUGMENTED REALITY (AR) IN DAILY LIFE: EXPANDING BEYOND GAMING
 
Tete thermostatique Zigbee MOES BRT-100 V2.pdf
Tete thermostatique Zigbee MOES BRT-100 V2.pdfTete thermostatique Zigbee MOES BRT-100 V2.pdf
Tete thermostatique Zigbee MOES BRT-100 V2.pdf
 
2024 February Patch Tuesday
2024 February Patch Tuesday2024 February Patch Tuesday
2024 February Patch Tuesday
 
Heltun_HE-RS01_User_Manual_B9AH.pdf
Heltun_HE-RS01_User_Manual_B9AH.pdfHeltun_HE-RS01_User_Manual_B9AH.pdf
Heltun_HE-RS01_User_Manual_B9AH.pdf
 
Q1 Memory Fabric Forum: XConn CXL Switches for AI
Q1 Memory Fabric Forum: XConn CXL Switches for AIQ1 Memory Fabric Forum: XConn CXL Switches for AI
Q1 Memory Fabric Forum: XConn CXL Switches for AI
 
Q1 Memory Fabric Forum: SMART CXL Product Lineup
Q1 Memory Fabric Forum: SMART CXL Product LineupQ1 Memory Fabric Forum: SMART CXL Product Lineup
Q1 Memory Fabric Forum: SMART CXL Product Lineup
 
OTel Orientation_ How to Train Teams (OTel in Practice).pdf
OTel Orientation_ How to Train Teams (OTel in Practice).pdfOTel Orientation_ How to Train Teams (OTel in Practice).pdf
OTel Orientation_ How to Train Teams (OTel in Practice).pdf
 
Evolution of Chatbots: From Custom AI Chatbots and AI Chatbots for Websites.pptx
Evolution of Chatbots: From Custom AI Chatbots and AI Chatbots for Websites.pptxEvolution of Chatbots: From Custom AI Chatbots and AI Chatbots for Websites.pptx
Evolution of Chatbots: From Custom AI Chatbots and AI Chatbots for Websites.pptx
 
Journey of Television in World & in India
Journey of Television in World & in IndiaJourney of Television in World & in India
Journey of Television in World & in India
 
Enhancing SaaS Performance: A Hands-on Workshop for Partners
Enhancing SaaS Performance: A Hands-on Workshop for PartnersEnhancing SaaS Performance: A Hands-on Workshop for Partners
Enhancing SaaS Performance: A Hands-on Workshop for Partners
 
Quinto Z-Wave Heltun_HE-RS01_User_Manual_B9AH.pdf
Quinto Z-Wave Heltun_HE-RS01_User_Manual_B9AH.pdfQuinto Z-Wave Heltun_HE-RS01_User_Manual_B9AH.pdf
Quinto Z-Wave Heltun_HE-RS01_User_Manual_B9AH.pdf
 
COE AI Lab Universities
COE AI Lab UniversitiesCOE AI Lab Universities
COE AI Lab Universities
 
My sample product research idea for you!
My sample product research idea for you!My sample product research idea for you!
My sample product research idea for you!
 

Timing attacks against web applications: Are they still practical?

  • 1. Timing attacks against web applications: Are they still practical? 09.11.2018 Ivan Petrov Penetration tester
  • 2. Timing attacks against web applications: Are they still practical? - What is a timing attack? - What was our plan? - What did we do differently? - What did we achieve? - How practical are timing attacks (over the internet)? - Who are subjects to an attack? - What is an acceptable solution? 2/29
  • 3. What is a timing attack? Basic string comparison in PHP 3/29
  • 4. What is a timing attack? is_identical_function() 4/29
  • 5. What is a timing attack? memcmp() 5/29
  • 6. What is a timing attack? 2 5 6 c d 21 ns 16 ns 19 ns 2 5 6 e 18 ns 20 ns Key: 256c27ad3cd09366e9884a8c93747900 … Total execution time: 95 ns Total execution time: 80 ns 17 ns 22 ns 22 ns … 20 ns 6/29
  • 7. 2 5 6 c d 21 ns 16 ns 19 ns Key: 256c27ad3cd09366e9884a8c93747900 Total execution time: 95 ns 17 ns 22 ns … What is a timing attack? 2 5 6 c 8 16 ns 14 ns 24 ns 18 ns 19 ns … 2 5 6 c 2 18 ns 21 ns 16 ns 21 ns 17 ns ? 22 ns Total execution time: 91 ns Total execution time: 115 ns 7/29
  • 8. General scenario: Attacker Hop 1 Hop .. Hop N Web server Application Our plan 8/29
  • 9. Prerequisite - We had access to the source code - A pass-the-hash vulnerability was present - A weak hash function was used (and without a salt) - There was no WAF/IDS/IPS in place - There was no reverse proxy, CDN, caching 9/29
  • 10. Our plan Step 1: Step 2: Step 3: Step 4: Step 5: Study the application’s source code in details Pinpoint a particular function to exploit Conduct basic data collection (timing) Work to improve noise filtration Reduce the search space for the timing attack 10/29
  • 11. Our plan What worked: - Application profiling using a profiler (xdebug, xhprof etc) - Measuring RTT via TCP timestamps - Making observations from user-space What didn’t work: - Timing different PHP functions used by the application - Average out web server’s performance (per version) 11/29
  • 12. Calculating the RTT - Must NOT be done in user-space - Packet capturing yields reliable results (SYN,ACK) - TCP timestamps’ granularity – 1 ms-100 seconds - Tracing system calls (e.g. strace(1)) can be tricky - Different protocols can be routed differently 12/29
  • 15. Calculating server response time 0.000978360 X.X.X.X → Y.Y.Y.Y HTTP 146 GET / HTTP/1.1 0.001722918 Y.Y.Y.Y → X.X.X.X TCP 66 80 → 33930 [ACK] Seq=1 Ack=81 Win=29056 Len=0 TSval=1737072019 TSecr=3816704019 0.004035262 Y.Y.Y.Y → X.X.X.X HTTP 481 HTTP/1.1 301 Moved Permanently (text/html) Packet capturing with tshark(1) 15/29
  • 16. What else? Spikes. - Mirroring the target environment - Application profiling (function timing) - Execution timing per different environments - Calculating median absolute deviation (MAD) What do we use to identify them? 16/29
  • 17. The target? More specifically. 17/29
  • 20. Attack resources - On average: 14 000 requests per character - The hash is hexadecimal - utilizes a character set of 16 elements: a-f0- 9 - Hash length is 40 characters Rough statistics for the attack: ~ 224 000 per each position … or ~ 8 960 000 requests for full hash recovery 20/29
  • 21. Difference to brute-forcing? Works for any user-supplied password no matter the complexity It’s simple. However… Brute-forcing would be preferable if the user has used a predictable password 21/29
  • 22. Reducing the search space - It’s not necessary to go for a full hash (in some cases) - We can use rainbow tables to lookup partial hashes Some more basic statistics Estimation: elements to pick from * number of requests per element * length - First 10 characters are expected to be recovered with 2 240 000 requests - First 13 characters are expected to be recovered with 2 912 000 requests - First 20 characters are expected to be recovered with 4 480 000 requests 22/29
  • 23. Demo
  • 24. Is this practical? Advantages - Timing attacks can be more efficient than brute-forcing - A lot of developers are not paying attention to them Disadvantages - In most cases are easy to detect - Hard to execute and easy to fail - Require a MASSIVE amount of requests - Can be hindered by any standard WAF/IDS - A reverse proxy will almost completely render them useless 24/29
  • 25. Who is vulnerable? - Applications that are not using timing-safe comparisons (constant-time algorithms) - Applications that have no rate limiting and/or monitoring in place - Shared hosting environments and virtualization can aid a timing attack 25/29
  • 26. What can the consequences be? - Ranging from useless traffic to a complete server takeover depending on the timing differences - Resource exhaustion if costly operations are performed on the back-end and continuously abused over a period of time 26/29
  • 27. Solution to timing attacks? - Do not solely rely on network jitter - Use constant-time algorithms for critical operations (auth, crypto) - Enforce a rate limiting policy 27/29
  • 28. Opportunities and Limits of Remote Timing Attacks (2009) SCOTT A. CROSBY, DAN S. WALLACH and RUDOLF H. RIEDI Rice University Some astonishing researches Nanosecond Scale Remote Timing Attacks On PHP Applications: Time To Take Them Seriously? (2010) Padraic Brady 28/29
  • 29. Questions & Feedback Thank you Bibliography available upon request www.tadgroup.com info@tadgroup.com