1. InfoconDB
  2. DEF CON
  3. DEF CON 32 (2024)
  4. Listen to the whispers: web timing attacks that actually work

Listen to the whispers: web timing attacks that actually work

Presented at DEF CON 32 (2024), Aug. 9, 2024, 11:30 a.m. (45 minutes).

Websites are riddled with timing oracles eager to divulge their innermost secrets. It's time we started listening to them. In this session, I'll unleash novel attack concepts to coax out server secrets including masked misconfigurations, blind data-structure injection, hidden routes to forbidden areas, and a vast expanse of invisible attack-surface. This is not a theoretical threat; every technique will be illustrated with multiple real-world case studies on diverse targets. Unprecedented advances have made these attacks both accurate and efficient; in the space of ten seconds you can now reliably detect a sub-millisecond differential with no prior configuration or 'lab conditions' required. In other words, I'm going to share timing attacks you can actually use. To help, I'll equip you with a suite of battle-tested open-source tools enabling both hands-free automated exploitation, and custom attack scripting. I'll also share a little CTF to help you hone your new skillset. Want to take things further? I'll help you transform your own attack ideas from theory to reality, by sharing a methodology refined through testing countless concepts on thousands of websites. We've neglected this omnipresent and incredibly powerful side-channel for too long. - [link](https://www.usenix.org/conference/usenixsecurity20/presentation/van-goethem) - [link](https://portswigger.net/research/smashing-the-state-machine)

Presenters:

  • James Kettle / albinowax - Director of Research at PortSwigger   as James "albinowax" Kettle
    James 'albinowax' Kettle is the Director of Research at PortSwigger, the makers of Burp Suite. He's best known for his HTTP Desync Attacks research, which popularised HTTP Request Smuggling. James has extensive experience cultivating novel attack techniques, including web cache poisoning, browser-powered desync attacks, server-side template injection, and password reset poisoning. James is also the author of multiple popular open-source tools including Param Miner, Turbo Intruder, and HTTP Request Smuggler. He is a frequent speaker at numerous prestigious venues including both Black Hat USA and EU, OWASP AppSec USA and EU, and DEF CON.

Similar Presentations: