Close Menu
Technology Mag

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    The Ploopy Knob is an open-source control dial for your PC

    July 4, 2025

    Laid-off workers should use AI to manage their emotions, says Xbox exec

    July 4, 2025

    Despite Protests, Elon Musk Secures Air Permit for xAI

    July 4, 2025
    Facebook X (Twitter) Instagram
    Subscribe
    Technology Mag
    Facebook X (Twitter) Instagram YouTube
    • Home
    • News
    • Business
    • Games
    • Gear
    • Reviews
    • Science
    • Security
    • Trending
    • Press Release
    Technology Mag
    Home » Tricky Web Timing Attacks Are Getting Easier to Use—and Abuse
    Security

    Tricky Web Timing Attacks Are Getting Easier to Use—and Abuse

    News RoomBy News RoomAugust 9, 20244 Mins Read
    Facebook Twitter Pinterest LinkedIn Reddit WhatsApp Email

    Researchers have long known that they can glean hidden information about the inner workings of a website by measuring the amount of time different requests take to be fulfilled and extrapolating information—and potential weaknesses—from slight variations. Such “web timing attacks” have been described for years, but they would often be too involved for real-world attackers to utilize in practice, even if they work in theory. At the Black Hat security conference in Las Vegas this week, though, one researcher warned that web timing attacks are actually feasible and ripe for exploitation.

    James Kettle, director of research at the web application security company PortSwigger, developed a set of web timing attack techniques that can be used to expose three different categories of vulnerabilities in websites. He validated the methods using a test environment he made that compiled 30,000 real websites, all of which offer bug bounty programs. He says the goal of the work is to show that once someone has a conceptual grasp on the types of information web timing attacks can deliver, taking advantage of them becomes more feasible.

    “I’ve always kind of avoided researching timing attacks because it’s a topic with a reputation,” Kettle says. “Everyone does research into it and says their research is practical, but no one ever seems to actually use timing attacks in real life, so how practical is it? What I’m hoping this work will do is show people that this stuff does actually work these days and get them thinking about it.”

    Kettle was inspired in part by a 2020 research paper titled “Timeless Timing Attacks,” which worked toward a solution for a common issue. Known as “network jitter,” the paper’s moniker refers to time delays between when a signal is sent and received on a network. These fluctuations impact timing measurements, but they are independent of the web server processing measured for timing attacks, so they can distort readings. The 2020 research, though, pointed out that when sending requests over the ubiquitous HTTP/2 network protocol, it is possible to put two requests into a single TCP communication packet so you know that both requests arrived at the server at the same time. Then, because of how HTTP/2 is designed, the responses will come back ordered so that the one that took less time to process is first and the one that took longer is second. This gives reliable, objective information about timing on the system without requiring any extra knowledge of the target web server—hence, “timeless timing attacks.”

    Web timing attacks are part of a class of hacks known as “side channels,” in which the attacker gathers information about a target based on its real world, physical properties. In his new work, Kettle refined the “timeless timing attacks” technique for reducing network noise and also took steps to address similar types of issues with server-related noise so his measurements would be more accurate and reliable. He then started using timing attacks to look for otherwise invisible coding errors and flaws in websites that are usually difficult for developers or bad actors to find, but that are highlighted in the information that leaks with timing measurements.

    In addition to using timing attacks to find hidden footholds to attack, Kettle also developed effective techniques for detecting two other common types of exploitable web bugs. One, known as a server-side injection vulnerability, allows an attacker to introduce malicious code to send commands and access data that shouldn’t be available. And the other, called misconfigured reverse proxies, allows unintended access to a system.

    In his presentation at Black Hat on Wednesday, Kettle demonstrated how he could use a web timing attack to uncover a misconfiguration and ultimately bypass a target web application firewall.

    “Because you found this inverse proxy misconfiguration you just go around the firewall,” he told WIRED ahead of his talk. “It’s absolutely trivial to execute once you’ve found these remote proxies, and timing attacks are good for finding these issues.”

    Alongside his talk, Kettle released functionality for the open source vulnerability-scanning tool known as Param Miner. The tool is an extension for the popular web application security assessment platform Burp Suite, which is developed by Kettle’s employer, PortSwigger. Kettle hopes to raise awareness about the utility of web timing attacks, but he also wants to make sure the techniques are being utilized for defense even when people don’t grasp the underlying concepts.

    “I integrated all these new features into Param Miner so people out there who don’t know anything about this can run this tool and find some of these vulnerabilities,” Kettle says. “It’s showing people things that they would have otherwise missed.”

    Share. Facebook Twitter Pinterest LinkedIn WhatsApp Reddit Email
    Previous ArticleOpenAI Warns Users Could Become Emotionally Hooked on Its Voice Mode
    Next Article Asus Zenbook S 16 review: a stellar, all-rounder of a laptop

    Related Posts

    Identities of More Than 80 Americans Stolen for North Korean IT Worker Scams

    July 3, 2025

    A Group of Young Cybercriminals Poses the ‘Most Imminent Threat’ of Cyberattacks Right Now

    July 3, 2025

    How to Protest Safely in the Age of Surveillance

    July 3, 2025

    US Supreme Court Upholds Texas Porn ID Law

    July 3, 2025

    ICE Rolls Facial Recognition Tools Out to Officers’ Phones

    July 3, 2025

    Minnesota Shooting Suspect Allegedly Used Data Broker Sites to Find Targets’ Addresses

    July 2, 2025
    Our Picks

    Laid-off workers should use AI to manage their emotions, says Xbox exec

    July 4, 2025

    Despite Protests, Elon Musk Secures Air Permit for xAI

    July 4, 2025

    This Is Why Tesla’s Robotaxi Launch Needed Human Babysitters

    July 4, 2025

    Fairphone 6 gets a 10/10 on repairability

    July 4, 2025
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Don't Miss
    News

    New Galaxy Z Fold 7 leaks may give first real look at Samsung’s slimmer foldable

    By News RoomJuly 4, 2025

    Samsung’s upcoming Galaxy Z Fold 7 has been given the thinner, sleeker glow-up we expected,…

    This is not a tattoo robot

    July 4, 2025

    What Could a Healthy AI Companion Look Like?

    July 4, 2025

    A Former Chocolatier Shares the 7 Kitchen Scales She Recommends

    July 4, 2025
    Facebook X (Twitter) Instagram Pinterest
    • Privacy Policy
    • Terms of use
    • Advertise
    • Contact
    © 2025 Technology Mag. All Rights Reserved.

    Type above and press Enter to search. Press Esc to cancel.