Time to read your hidden variables

Virtually all dynamically generated websites maintain server-side session variables for their users. These can range from harmless view settings to shopping-cart contents to security tokens or hashes. These variables can leak through timing information when compared or otherwise combined with user-controlled input. Let’s see how we can use cross-site timing attacks to recover a session variable from a vulnerable server.

Standard string-compare operator is vulnerable in most languages, including PHP. Attacking it remotely typically requires many thousands of samples which – while practical – doesn’t make a good live demo material. Instead, we will attack an application where the the vulnerability is artificially amplified. Still, the attack will be kept realistic: it will be cross-site and executed from another browser tab.

I have put together a small PHP target application consisting of:

  1. set.php which saves a session variable
  2. test.php which compares the session variable against a GET query

The comparison function is designed to excessively leak timing information by executing an arbitrary usleep() every iteration. We will use the same <img> src timing method as before. Just as last time, we need a baseline measurement for comparison. For this we will time two different characters and select a minimum – this ensures that we catch the case where a byte fails the check. We expect a passing check to be visibly slower.

Of course, at the end of the day malicious JavaScript would send the data back to attacker’s server. User would be completely unaware of the attack and can only defend against it by isolation.

Can your daily online shopping cart be spied on by external websites with a cross-site timing attack? Perhaps we will find out one day.

Source code

Leave a Reply

Close Menu