CAPEC-462

Name

Cross-Domain Search Timing

Typischer Schweregrad

Mittel

Status

Draft

Veröffentlicht

2014-06-23
00h00 +00:00

Geändert

2022-02-22
00h00 +00:00

Offizielle Links

CAPEC Mitre.org

Benachrichtigung für ein CAPEC

Bleiben Sie über alle Änderungen zu einem bestimmten CAPEC informiert.

Benachrichtigungen verwalten

Benutzerdefinierte Benachrichtigungen

Aktivieren Sie Ihre personalisierten Benachrichtigungen!

Um Ihre Benachrichtigungen zu aktivieren, müssen Sie lediglich in Ihrem kostenlosen Konto angemeldet sein. Falls Sie noch nicht angemeldet sind, wählen Sie eine der folgenden Optionen.

In Ihr Konto einloggen Kostenloses Konto erstellen

Benachrichtigung für ein CAPEC

Bleiben Sie über alle Änderungen zu einem bestimmten CAPEC informiert.

Parameter

Sie können einen Titel angeben, der in den gesendeten Benachrichtigungen erscheint.

Geben Sie die CAPEC-ID an, die Sie überwachen möchten.

Planung

Monat

Berechnung des nächsten Ausführungstermins

Tag

Wochentag

Stunde

Minute

Erstellungsdatum

Letzte Ausführung

Nächste Ausführung

CAPEC-Beschreibungen

An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.

CAPEC-Informationen

Ausführungsablauf

1) Explore

[Determine service to send cross domain requests to] The adversary first determines which service they will be sending the requests to

2) Experiment

[Send and time various cross domain requests] Adversaries will send a variety of cross domain requests to the target, timing the time it takes for the target to respond. Although they won't be able to read the response, the adversary can use the time to infer information about what the service did upon receiving the request.

Technik

Using a GET request, leverage the "img" tag in conjunction with "onload() / onerror()" javascript events to time a response
Using a POST request, leverage the "iframe" element and use the "onload()" event to time a response

3) Exploit

[Infer information from the response time] After obtaining reponse times to various requests, the adversary will compare these times and infer potentially sensitive information. An example of this could be asking a service to retrieve information and random usernames. If one request took longer to process, it is likely that a user with that username exists, which could be useful knowledge to an adversary.

Technik

Compare timing of different requests to infer potentially sensitive information about a target service

Voraussetzungen

Ability to issue GET / POST requests cross domainJava Script is enabled in the victim's browserThe victim has an active session with the site from which the attacker would like to receive informationThe victim's site does not protect search functionality with cross site request forgery (CSRF) protection

Erforderliche Kenntnisse

Some knowledge of Java Script

Erforderliche Ressourcen

Ability to issue GET / POST requests cross domain

Gegenmaßnahmen

Design: The victim's site could protect all potentially sensitive functionality (e.g. search functions) with cross site request forgery (CSRF) protection and not perform any work on behalf of forged requests
Design: The browser's security model could be fixed to not leak timing information for cross domain requests

Referenzen

REF-399

Cross-Domain Search Timing
Chris Evans.
http://scarybeastsecurity.blogspot.com/2009/12/cross-domain-search-timing.html

Einreichung

Name	Organisation	Datum	Veröffentlichungsdatum
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Änderungen

Name	Organisation	Datum	Kommentar
CAPEC Content Team	The MITRE Corporation	2015-11-09 +00:00	Updated Related_Attack_Patterns
CAPEC Content Team	The MITRE Corporation	2017-01-09 +00:00	Updated Related_Attack_Patterns
CAPEC Content Team	The MITRE Corporation	2020-07-30 +00:00	Updated Consequences
CAPEC Content Team	The MITRE Corporation	2020-12-17 +00:00	Updated Mitigations
CAPEC Content Team	The MITRE Corporation	2021-10-21 +00:00	Updated Execution_Flow
CAPEC Content Team	The MITRE Corporation	2022-02-22 +00:00	Updated Description, Extended_Description

CWE-ID	Name der Schwachstelle
CWE-385	Covert Timing Channel Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.
CWE-352	Cross-Site Request Forgery (CSRF) The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-208	Observable Timing Discrepancy Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

CAPEC-462 Details