From 144069a83ce36a9dcb20afca0c648b05174b0d4a Mon Sep 17 00:00:00 2001 From: CPol Date: Mon, 19 Aug 2024 12:40:04 +0000 Subject: [PATCH] GITBOOK-4383: No subject --- SUMMARY.md | 3 +- pentesting-web/timing-attacks.md | 66 ++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 pentesting-web/timing-attacks.md diff --git a/SUMMARY.md b/SUMMARY.md index b26e5d20025..9ae9983a4cf 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -611,6 +611,7 @@ * [Registration & Takeover Vulnerabilities](pentesting-web/registration-vulnerabilities.md) * [Regular expression Denial of Service - ReDoS](pentesting-web/regular-expression-denial-of-service-redos.md) * [Reset/Forgotten Password Bypass](pentesting-web/reset-password.md) +* [Reverse Tab Nabbing](pentesting-web/reverse-tab-nabbing.md) * [SAML Attacks](pentesting-web/saml-attacks/README.md) * [SAML Basics](pentesting-web/saml-attacks/saml-basics.md) * [Server Side Inclusion/Edge Side Inclusion Injection](pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md) @@ -637,7 +638,7 @@ * [SSTI (Server Side Template Injection)](pentesting-web/ssti-server-side-template-injection/README.md) * [EL - Expression Language](pentesting-web/ssti-server-side-template-injection/el-expression-language.md) * [Jinja2 SSTI](pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md) -* [Reverse Tab Nabbing](pentesting-web/reverse-tab-nabbing.md) +* [Timing Attacks](pentesting-web/timing-attacks.md) * [Unicode Injection](pentesting-web/unicode-injection/README.md) * [Unicode Normalization](pentesting-web/unicode-injection/unicode-normalization.md) * [UUID Insecurities](pentesting-web/uuid-insecurities.md) diff --git a/pentesting-web/timing-attacks.md b/pentesting-web/timing-attacks.md new file mode 100644 index 00000000000..3ca8daa11de --- /dev/null +++ b/pentesting-web/timing-attacks.md @@ -0,0 +1,66 @@ +# Timing Attacks + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +{% hint style="warning" %} +For obtaining a deep understanding of this technique check the original report from [https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work](https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work) +{% endhint %} + +## Basic Information + +The basic goal of a timing attack is basically to be able to answer complicated questions or detect hidden functionalities by just **checking the time differences in the responses from similar requests**. + +Traditionally this has been very complicated because the latency an jitter introduced by both the network and the server. However, since the discovery and improvement of the [**Race Condition Single Packet attack**](race-condition.md#http-2-single-packet-attack-vs.-http-1.1-last-byte-synchronization), it's possible to use this technique to remove all network delays noised from the equation.\ +Leaving only the **server delays** make timing attack easier to discover and abuse. + +## Discoveries + +### Hidden Attack Surface + +In the blog post is commented how using this technique it was possible to find hidden parameters and even headers just checking that whenever the param or header was present in the request there was a **time difference of about 5ms**. Actually, this discovery technique has been adde to **Param Miner** in Burp Suite. + +These time differences might because a **DNS request** was performed, some **log was written** because an invalid input or because some **checks are performed** when a parameter is present int he request. + +Something you need to remember when performing this kind of attacks is that because of the hidden nature of the surface, you might not know what is the actual real cause of the time differences. + +### Reverse Proxy Misconfigurations + +In the same research, it was shared that the timing technique was great to discover "scoped SSRFs" (which are SSRFs that can only access to allowed IP/domains). Just **checking the time difference when an allowed domain is set** versus when a not allowed domain is set helps to discover open proxies even if the response is the same. + +Once an scoped open proxy is discovered, it was possible to find valid targets by parsing known subdomains of the target and this allowed to: + +* **Bypass firewalls** by accessing restricted subdomains via the open proxy instead of through internet + * Checking subdomains it was even possible to discover and access internal subdomains not publicly known +* **Front-End impersonation attacks**: Front-end servers normally add headers for the backend. In open proxies, if you are able to find these headers (which you might be able to do using Timing attacks again), you will be able to set these headers and gather further access. + +## References + +* [https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work](https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work) + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %}