mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-21 20:23:18 +00:00
GITBOOK-4383: No subject
This commit is contained in:
parent
c6ecbdb0dd
commit
144069a83c
2 changed files with 68 additions and 1 deletions
|
@ -611,6 +611,7 @@
|
||||||
* [Registration & Takeover Vulnerabilities](pentesting-web/registration-vulnerabilities.md)
|
* [Registration & Takeover Vulnerabilities](pentesting-web/registration-vulnerabilities.md)
|
||||||
* [Regular expression Denial of Service - ReDoS](pentesting-web/regular-expression-denial-of-service-redos.md)
|
* [Regular expression Denial of Service - ReDoS](pentesting-web/regular-expression-denial-of-service-redos.md)
|
||||||
* [Reset/Forgotten Password Bypass](pentesting-web/reset-password.md)
|
* [Reset/Forgotten Password Bypass](pentesting-web/reset-password.md)
|
||||||
|
* [Reverse Tab Nabbing](pentesting-web/reverse-tab-nabbing.md)
|
||||||
* [SAML Attacks](pentesting-web/saml-attacks/README.md)
|
* [SAML Attacks](pentesting-web/saml-attacks/README.md)
|
||||||
* [SAML Basics](pentesting-web/saml-attacks/saml-basics.md)
|
* [SAML Basics](pentesting-web/saml-attacks/saml-basics.md)
|
||||||
* [Server Side Inclusion/Edge Side Inclusion Injection](pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md)
|
* [Server Side Inclusion/Edge Side Inclusion Injection](pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md)
|
||||||
|
@ -637,7 +638,7 @@
|
||||||
* [SSTI (Server Side Template Injection)](pentesting-web/ssti-server-side-template-injection/README.md)
|
* [SSTI (Server Side Template Injection)](pentesting-web/ssti-server-side-template-injection/README.md)
|
||||||
* [EL - Expression Language](pentesting-web/ssti-server-side-template-injection/el-expression-language.md)
|
* [EL - Expression Language](pentesting-web/ssti-server-side-template-injection/el-expression-language.md)
|
||||||
* [Jinja2 SSTI](pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md)
|
* [Jinja2 SSTI](pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md)
|
||||||
* [Reverse Tab Nabbing](pentesting-web/reverse-tab-nabbing.md)
|
* [Timing Attacks](pentesting-web/timing-attacks.md)
|
||||||
* [Unicode Injection](pentesting-web/unicode-injection/README.md)
|
* [Unicode Injection](pentesting-web/unicode-injection/README.md)
|
||||||
* [Unicode Normalization](pentesting-web/unicode-injection/unicode-normalization.md)
|
* [Unicode Normalization](pentesting-web/unicode-injection/unicode-normalization.md)
|
||||||
* [UUID Insecurities](pentesting-web/uuid-insecurities.md)
|
* [UUID Insecurities](pentesting-web/uuid-insecurities.md)
|
||||||
|
|
66
pentesting-web/timing-attacks.md
Normal file
66
pentesting-web/timing-attacks.md
Normal file
|
@ -0,0 +1,66 @@
|
||||||
|
# Timing Attacks
|
||||||
|
|
||||||
|
{% hint style="success" %}
|
||||||
|
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||||
|
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary>Support HackTricks</summary>
|
||||||
|
|
||||||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
{% hint style="warning" %}
|
||||||
|
For obtaining a deep understanding of this technique check the original report from [https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work](https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work)
|
||||||
|
{% endhint %}
|
||||||
|
|
||||||
|
## Basic Information
|
||||||
|
|
||||||
|
The basic goal of a timing attack is basically to be able to answer complicated questions or detect hidden functionalities by just **checking the time differences in the responses from similar requests**.
|
||||||
|
|
||||||
|
Traditionally this has been very complicated because the latency an jitter introduced by both the network and the server. However, since the discovery and improvement of the [**Race Condition Single Packet attack**](race-condition.md#http-2-single-packet-attack-vs.-http-1.1-last-byte-synchronization), it's possible to use this technique to remove all network delays noised from the equation.\
|
||||||
|
Leaving only the **server delays** make timing attack easier to discover and abuse.
|
||||||
|
|
||||||
|
## Discoveries
|
||||||
|
|
||||||
|
### Hidden Attack Surface
|
||||||
|
|
||||||
|
In the blog post is commented how using this technique it was possible to find hidden parameters and even headers just checking that whenever the param or header was present in the request there was a **time difference of about 5ms**. Actually, this discovery technique has been adde to **Param Miner** in Burp Suite.
|
||||||
|
|
||||||
|
These time differences might because a **DNS request** was performed, some **log was written** because an invalid input or because some **checks are performed** when a parameter is present int he request.
|
||||||
|
|
||||||
|
Something you need to remember when performing this kind of attacks is that because of the hidden nature of the surface, you might not know what is the actual real cause of the time differences.
|
||||||
|
|
||||||
|
### Reverse Proxy Misconfigurations
|
||||||
|
|
||||||
|
In the same research, it was shared that the timing technique was great to discover "scoped SSRFs" (which are SSRFs that can only access to allowed IP/domains). Just **checking the time difference when an allowed domain is set** versus when a not allowed domain is set helps to discover open proxies even if the response is the same.
|
||||||
|
|
||||||
|
Once an scoped open proxy is discovered, it was possible to find valid targets by parsing known subdomains of the target and this allowed to:
|
||||||
|
|
||||||
|
* **Bypass firewalls** by accessing restricted subdomains via the open proxy instead of through internet
|
||||||
|
* Checking subdomains it was even possible to discover and access internal subdomains not publicly known
|
||||||
|
* **Front-End impersonation attacks**: Front-end servers normally add headers for the backend. In open proxies, if you are able to find these headers (which you might be able to do using Timing attacks again), you will be able to set these headers and gather further access.
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work](https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work)
|
||||||
|
|
||||||
|
{% hint style="success" %}
|
||||||
|
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||||
|
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||||
|
|
||||||
|
<details>
|
||||||
|
|
||||||
|
<summary>Support HackTricks</summary>
|
||||||
|
|
||||||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||||||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||||
|
|
||||||
|
</details>
|
||||||
|
{% endhint %}
|
Loading…
Reference in a new issue