Skip to content

Commit

Permalink
GITBOOK-4383: No subject
Browse files Browse the repository at this point in the history
  • Loading branch information
carlospolop authored and gitbook-bot committed Aug 19, 2024
1 parent c6ecbdb commit 144069a
Show file tree
Hide file tree
Showing 2 changed files with 68 additions and 1 deletion.
3 changes: 2 additions & 1 deletion SUMMARY.md
Original file line number Diff line number Diff line change
Expand Up @@ -611,6 +611,7 @@
* [Registration & Takeover Vulnerabilities](pentesting-web/registration-vulnerabilities.md)
* [Regular expression Denial of Service - ReDoS](pentesting-web/regular-expression-denial-of-service-redos.md)
* [Reset/Forgotten Password Bypass](pentesting-web/reset-password.md)
* [Reverse Tab Nabbing](pentesting-web/reverse-tab-nabbing.md)
* [SAML Attacks](pentesting-web/saml-attacks/README.md)
* [SAML Basics](pentesting-web/saml-attacks/saml-basics.md)
* [Server Side Inclusion/Edge Side Inclusion Injection](pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md)
Expand All @@ -637,7 +638,7 @@
* [SSTI (Server Side Template Injection)](pentesting-web/ssti-server-side-template-injection/README.md)
* [EL - Expression Language](pentesting-web/ssti-server-side-template-injection/el-expression-language.md)
* [Jinja2 SSTI](pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md)
* [Reverse Tab Nabbing](pentesting-web/reverse-tab-nabbing.md)
* [Timing Attacks](pentesting-web/timing-attacks.md)
* [Unicode Injection](pentesting-web/unicode-injection/README.md)
* [Unicode Normalization](pentesting-web/unicode-injection/unicode-normalization.md)
* [UUID Insecurities](pentesting-web/uuid-insecurities.md)
Expand Down
66 changes: 66 additions & 0 deletions pentesting-web/timing-attacks.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
# Timing Attacks

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

{% hint style="warning" %}
For obtaining a deep understanding of this technique check the original report from [https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work](https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work)
{% endhint %}

## Basic Information

The basic goal of a timing attack is basically to be able to answer complicated questions or detect hidden functionalities by just **checking the time differences in the responses from similar requests**.

Traditionally this has been very complicated because the latency an jitter introduced by both the network and the server. However, since the discovery and improvement of the [**Race Condition Single Packet attack**](race-condition.md#http-2-single-packet-attack-vs.-http-1.1-last-byte-synchronization), it's possible to use this technique to remove all network delays noised from the equation.\
Leaving only the **server delays** make timing attack easier to discover and abuse.

## Discoveries

### Hidden Attack Surface

In the blog post is commented how using this technique it was possible to find hidden parameters and even headers just checking that whenever the param or header was present in the request there was a **time difference of about 5ms**. Actually, this discovery technique has been adde to **Param Miner** in Burp Suite.

These time differences might because a **DNS request** was performed, some **log was written** because an invalid input or because some **checks are performed** when a parameter is present int he request.

Something you need to remember when performing this kind of attacks is that because of the hidden nature of the surface, you might not know what is the actual real cause of the time differences.

### Reverse Proxy Misconfigurations

In the same research, it was shared that the timing technique was great to discover "scoped SSRFs" (which are SSRFs that can only access to allowed IP/domains). Just **checking the time difference when an allowed domain is set** versus when a not allowed domain is set helps to discover open proxies even if the response is the same.

Once an scoped open proxy is discovered, it was possible to find valid targets by parsing known subdomains of the target and this allowed to:

* **Bypass firewalls** by accessing restricted subdomains via the open proxy instead of through internet
* Checking subdomains it was even possible to discover and access internal subdomains not publicly known
* **Front-End impersonation attacks**: Front-end servers normally add headers for the backend. In open proxies, if you are able to find these headers (which you might be able to do using Timing attacks again), you will be able to set these headers and gather further access.

## References

* [https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work](https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work)

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

0 comments on commit 144069a

Please sign in to comment.