Proceedings of the 7th ACM conference on Computer and communications security
Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Testing network-based intrusion detection signatures using mutant exploits
Proceedings of the 11th ACM conference on Computer and communications security
Exposing private information by timing web applications
Proceedings of the 16th international conference on World Wide Web
Denial of service via algorithmic complexity attacks
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
An Independent Evaluation of Web Timing Attack and its Countermeasure
ARES '08 Proceedings of the 2008 Third International Conference on Availability, Reliability and Security
Opportunities and Limits of Remote Timing Attacks
ACM Transactions on Information and System Security (TISSEC)
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Remote timing attacks are practical
Computer Networks: The International Journal of Computer and Telecommunications Networking - Web security
| Hi-index | 0.00 |
Web Application Firewalls (WAFs) are used to detect and block attacks against vulnerable web applications. They distinguish benign requests from rogue requests using a set of filter rules. We present a new timing side channel attack that an attacker can use to remotely distinguish passed requests from requests that the WAF blocked. The attack works also for transparent WAFs that do not leave any trace in responses. The attacker can either conduct our attack directly or indirectly by using Cross Site Request Forgeries (CSRF). The latter allows the attacker to get the results of the attack while hiding his identity and to circumvent any practical brute-force prevention mechanism in the WAF. By learning which requests the WAF blocks and which it passes to the application, the attacker can craft targeted attacks that use any existing loopholes in the WAF's filter rule set. We implemented this attack in the WAFFle tool and ran tests over the Internet against ModSecurity and PHPIDS. The results show that WAFFle correctly distinguished passed requests from blocked requests in more than 95% of all requests just by measuring a single request.