Researchers have long known that web timing attacks can be used to glean hidden information about a website’s inner workings. However, these attacks were often considered too complex to be practical. That’s no longer the case, according to James Kettle, director of research at PortSwigger.
Web timing attacks involve measuring the time it takes for different requests to be fulfilled and extrapolating information from slight variations. This can reveal vulnerabilities in websites that are otherwise difficult to detect. Kettle has developed a set of techniques that can be used to expose three different categories of vulnerabilities in websites.
Kettle has also developed a tool, Param Miner, which can be used to detect these vulnerabilities. The tool is an extension for the popular web application security assessment platform Burp Suite.
Web timing attacks are part of a class of hacks known as side channels, which gather information about a target based on its physical properties. Kettle’s work shows that these attacks are feasible and can be used to expose vulnerabilities in websites.
Kettle hopes to raise awareness about the utility of web timing attacks and to make sure that these techniques are being used for defense. By integrating his techniques into Param Miner, he aims to make it easier for people to detect these vulnerabilities, even if they don’t understand the underlying concepts.