詹姆斯·凯特尔_倾听低语实际有效的Web计时攻击.pdf

1、Listen to the whispersJames Kettleweb timing attacks that actually workPortSwigger ResearchThe timing trapdef strcmp(s1,s2):for c1,c2 in zip(s1,s2):if c1!=c2:return Falsetime.sleep(0.01)return TrueDoes the database contain a password reset token starting with d7e?(not to scale)The timing divideLab-p

2、rovenTheoretical200s(0.2ms,0.0002 seconds)The timing divideMaking timing attacks that work everywhereListening to whispers:Hidden attack-surface Server-side injection Reverse proxy misconfigurationsDefense/Takeaways/QuestionsOutlinePortSwigger/param-minerMaking timing attacks that work everywhereThe

3、 equation for timing attack successMaking timing attacks localTimeless Timing Attacks(2020)The sticky ordering problemSolution#1:resynchronize with dummy parameters on first request Requires per-target configurationFails outright on some targetsAmplifies internal noiseXMaking timing attacks universa

4、l:single-packet attackSPA v1(2023)SPA v2Some servers start processing here:(Enhancing the single-packet attackdisable TCP_NODELAYsend a ping framefor each request with no body:send the headers withhold an empty data framefor each request with a body:send the headers,and the body except the final byt

5、e withhold a data frame containing the final bytewait for 100ms send a ping frame send the final framesBurp Suite Pro/Community enhancement on nginxMaking timing attacks feasibleGET/HTTP/1.1X-U:a255X-U256:aAmplify the signal Longest split code path Think DoSMinimize noise Embrace performance feature

6、s Shortest shared code pathGET/HTTP/1.1Cookie:sid=d83aDNT:1RemoveAdd-256 times easier to detectHidden attack-surfacedoes the application support a query parameter called exec?Guess paramsGuess paramsDiscovery overloadPayloadResponseResponse timefoo:xHTTP/1.1 200 OK50mscommonconfig:xHTTP/1.1 200 OK55