Skip to content

Instantly share code, notes, and snippets.

@mtrpcic

mtrpcic/gist:8cdd16bf429904756921

Last active August 29, 2015 14:26
Show Gist options
  • Save mtrpcic/8cdd16bf429904756921 to your computer and use it in GitHub Desktop.
Save mtrpcic/8cdd16bf429904756921 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.md

Timing Attack

A timing attack is essentially using statistics and a large number of requests to determine certain pieces of information by brute force. For example, let's say you want to break into somebody elses account on Example.com. Example.com happens to be susceptible to timing attacks, and we're going to abuse it.

The Attack Vector

Let's say the internal string compare method of whatever language Example.com is using does a "short circuit compare" when comparing strings. Maybe the code looks something like this:

def is_equal(source, dest):
    for(i = 0; i < source.length; i++):
        if dest[i] != source[i]:
            return false
    return true

The above code will work correctly, but will break at the first incorrect character. This means that the method runs longer the more characters it has to compare. By calling this function thousands of times, you can see what pieces of data are placed where in a target string, even with no source.

How do you know a site is susceptible?

You don't, but you can find out. By beginning a timing attack test on a site, you can continue making request to determine if there is any significant variation in time for any specific piece of data. If the site rate limits bad requests in any way, it is impossible to timing attack because you get locked out too often.

What to build?

Basically, a CLI script that we can run against a target and pass some specific data to see if it is susceptible to timing attacks (and if we wanted to be nasty, actually break an account).

./timing-attack --target http://www.example.com/login --http POST --vector name=:data --data alphanumeric
@mtrpcic
Copy link
Author

mtrpcic commented Jul 28, 2015

This isn't ironed out yet, but the gist of it is here (heh). The script should also allow for parallelization to speed things up (making use of multiple cores, or spawning multiple processes, etc.), maybe options for "significance intervals" and stuff for the statistical side of things, IP spoofing or VPN stuff maybe? I dunno. make it cool as shit though.

Before all the cool bells and whistles are added, we'll write a fake API that is specifically susceptible to timing attacks and test the proof of concept on it. Some recent research about web APIs specifically found they were able to determine differences on average of 20 microseconds. So we need to use a language/tool that has some REALLY accurate time tools.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment