Timing Attacks and the Timing-Allow-Origin Header

October 23, 2019
web

I've always found Timing Attacks to be an interesting type of web application vulnerability. You need to understand timing attacks before you can understand how to use the Timing-Allow-Origin http response header.

What is a Timing Attack?

Timing attacks can happen when attackers use timing to ascertain information, or perhaps better put, when performance is a bug!

Here is a common timing attack I see often in real code:

if ( isValidUser(username) ) {
    if ( isValidPassword( username, password ) ) {
        return { authenticated: true }
    }
} 
return { authenticated: false };

In the above case an attacker use the response time to determine what usernames are valid. If an invalid username is passed it fails fast. This works well because isValidPassword is probably doing an expensive operation to compute the entered password's hash, and it will take notable amount of time. By comparing the response time of a valid username and an invalid username the attacker can form a list of valid user names.

Other real world timing attacks have taken place that have allowed attackers to figure out the identity (see Twitter Silhouette Attack). On Facebook, it was possible to create a page that had age restrictions setup such that only a 32 year old could view it, by creating a page for each age, and then requesting each one it was possible for another site to tell how old you are.

Mathias Bynens has a great talk on this subject that will help you further understand this topic.

The Timing-Allow-Origin Header

This is a new header, that according to Can I Use has only been around for about a month (September 2019).

The Timing-Allow-Origin header allows you to specify what origins can view the timing data, it needs to be an exact match, so if you want to share the timing data with https://example.com you can specify:

Timing-Allow-Origin: https://example.com

The spec also allows you to specify a wildcard here:

Timing-Allow-Origin: *

Hopefully you can understand that specifying the * wildcard for the Timing-Allow-Origin is not a good idea, and can open yourself up to cross site timing attacks via the Web Resource Timing API.


Like this? Follow me ↯


This entry was:

Post a Comment




  






Foundeo Inc.