Virtually all dynamically generated websites maintain server-side session variables for their users. These can range from harmless view settings to shopping-cart contents to security tokens or hashes. These variables can leak through timing information when compared or otherwise combined with user-controlled input. Let’s see how we can use cross-site timing attacks to recover a session variable from a vulnerable server.
Standard string-compare operator is vulnerable in most languages, including PHP. Attacking it remotely typically requires many thousands of samples which – while practical – doesn’t make a good live demo material. Instead, we will attack an application where the the vulnerability is artificially amplified. Still, the attack will be kept realistic: it will be cross-site and executed from another browser tab.
I have put together a small PHP target application consisting of:
- set.php which saves a session variable
- test.php which compares the session variable against a GET query
The comparison function is designed to excessively leak timing information by executing an arbitrary usleep() every iteration. We will use the same <img> src timing method as before. Just as last time, we need a baseline measurement for comparison. For this we will time two different characters and select a minimum – this ensures that we catch the case where a byte fails the check. We expect a passing check to be visibly slower.
Can your daily online shopping cart be spied on by external websites with a cross-site timing attack? Perhaps we will find out one day.