CAPEC-462 Cross-Domain Search Timing

CAPEC ID: 462

CAPEC-462 Metadata

Likelihood of Attack

High

Typical Severity

Medium

Overview

Summary

An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.

Prerequisites

Ability to issue GET / POST requests cross domainJava Script is enabled in the victim's browserThe victim has an active session with the site from which the attacker would like to receive informationThe victim's site does not protect search functionality with cross site request forgery (CSRF) protection

Execution Flow

Step Phase Description Techniques
1 Explore [Determine service to send cross domain requests to] The adversary first determines which service they will be sending the requests to
2 Experiment [Send and time various cross domain requests] Adversaries will send a variety of cross domain requests to the target, timing the time it takes for the target to respond. Although they won't be able to read the response, the adversary can use the time to infer information about what the service did upon receiving the request.
  • Using a GET request, leverage the "img" tag in conjunction with "onload() / onerror()" javascript events to time a response
  • Using a POST request, leverage the "iframe" element and use the "onload()" event to time a response
3 Exploit [Infer information from the response time] After obtaining reponse times to various requests, the adversary will compare these times and infer potentially sensitive information. An example of this could be asking a service to retrieve information and random usernames. If one request took longer to process, it is likely that a user with that username exists, which could be useful knowledge to an adversary.
  • Compare timing of different requests to infer potentially sensitive information about a target service

Potential Solutions / Mitigations

Design: The victim's site could protect all potentially sensitive functionality (e.g. search functions) with cross site request forgery (CSRF) protection and not perform any work on behalf of forged requests Design: The browser's security model could be fixed to not leak timing information for cross domain requests

Related Weaknesses (CWE)

CWE ID Description
CWE-208 Observable Timing Discrepancy
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-385 Covert Timing Channel

Related CAPECs

CAPEC ID Description
CAPEC-54 An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide.

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.