Techly NewsGet the app

Get the latest tech news

Listen to the whispers: web timing attacks that work


Websites are riddled with timing oracles eager to divulge their innermost secrets. It's time we started listening to them. In this paper, I'll unleash novel attack concepts to coax out server secrets

In this paper, I'll unleash novel attack concepts to coax out server secrets including masked misconfigurations, blind data-structure injection, hidden routes to forbidden areas, and a vast expanse of invisible attack-surface. I could have made Param Miner use the single-packet attack for these measurements, but this would have involved significant refactoring and, when researching unproven concepts, I take every possible shortcut to avoid wasting time, so I didn't bother. To avoid being misled by false assumptions, I decided to focus on specific parameters that provide a clear security impact without any time-consuming manual investigation and a straightforward way to gather additional corroborating evidence.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of Whispers

Whispers

Photo of web timing attacks

web timing attacks

Related news:

News photo

Among the Whispers — Provocation is the latest game from D&A Studios

« Spotify Has A Pirated Software Problem. Playlists and "podcast" episode descriptions are hiding malware and piracy sites in plain sight on the streaming platform.
Refresh vs. Long-lived Access Tokens (2023) »