A timing attack is essentially using statistics and a large number of requests to determine certain pieces of information by brute force. For example, let's say you want to break into somebody elses account on Example.com. Example.com happens to be susceptible to timing attacks, and we're going to abuse it.
Let's say the internal string compare method of whatever language Example.com is using does a "short circuit compare" when comparing strings. Maybe the code looks something like this:
def is_equal(source, dest):
for(i = 0; i < source.length; i++):
if dest[i] != source[i]:
return false
return true
The above code will work correctly, but will break at the first incorrect character. This means that the method runs longer the more characters it has to compare. By calling this function thousands of times, you can see what pieces of data are placed where in a target string, even with no source.
You don't, but you can find out. By beginning a timing attack test on a site, you can continue making request to determine if there is any significant variation in time for any specific piece of data. If the site rate limits bad requests in any way, it is impossible to timing attack because you get locked out too often.
Basically, a CLI script that we can run against a target and pass some specific data to see if it is susceptible to timing attacks (and if we wanted to be nasty, actually break an account).
./timing-attack --target http://www.example.com/login --http POST --vector name=:data --data alphanumeric
This isn't ironed out yet, but the gist of it is here (heh). The script should also allow for parallelization to speed things up (making use of multiple cores, or spawning multiple processes, etc.), maybe options for "significance intervals" and stuff for the statistical side of things, IP spoofing or VPN stuff maybe? I dunno. make it cool as shit though.
Before all the cool bells and whistles are added, we'll write a fake API that is specifically susceptible to timing attacks and test the proof of concept on it. Some recent research about web APIs specifically found they were able to determine differences on average of 20 microseconds. So we need to use a language/tool that has some REALLY accurate time tools.