Exposing Private Information by Timing Web Applications
Authors:
Andrew Bortz (Stanford University)
Dan Boneh (Stanford University)
Palash Nandy (Stanford University)
Abstract:
We show that the time web sites take to respond to HTTP requests can leak private information, using two different types of attacks. The first directly measures response times from a web site to expose private information such as validity of an username at a secured site or the number of private photos in a publicly viewable gallery. The second, called cross-site timing, enables a malicious web site to obtain information from the user's perspective at another site. For example, a malicious site can learn if the user is currently logged in at a victim site and, in some cases, the number of objects in the user's shopping cart. Our experiments suggest that these timing vulnerabilities are wide-spread. We explain in detail how and why these attacks work, and discuss methods for writing web application code that resists these attacks.
Slot:
Shaughnessy, Friday, May 11, 2007, 3:30pm to 5:00pm.