Cenzic 232 Patent
Paid Advertising
web application security lab

Timing Attacks in JavaScript

This has been talked about a number of times before - detecting time variances using server side programs to detect the various states of a user. Well I decided to write a proof of concept that shows that you can detect the user click here to see a small webpage and a fast webpage. (It’s more visible in Firefox but does work in both IE and Firefox). With this could could detect when users are logged in or not, or other states of a webpage depending on what the user sees (assuming the page is appreciably larger or smaller in the various states).

I asked around and couldn’t find anyone who said this was a complete re-hash of something someone had already talked about (the closest thing I could think of was using HTML to port scan, although this uses JavaScript so it’s not the same). Anyway, I just thought I’d throw it up as a proof of concept. Don’t bother posting about network lag discrepancies. I understand and agree with the nay-sayers but nevertheless it does seem to work.

4 Responses to “Timing Attacks in JavaScript”

  1. dusoft Says:

    very interesting idea!

  2. kuza55 Says:

    Another variant of the same idea (timing attacks) has been covered here: http://wasjournal.blogspot.com/2006/12/use-of-time-delay-technique-for.html

    Its a nice idea, but I wouldn’t rely on it simply because unless its something with a BIG difference you’ve got too much chance for error.

    Nonetheless its fun to work with, so I say keep playing with it, :)

  3. Kyran Says:

    http://nontroppo.org/test/Op7/loadtime.html

    As explained there, these sort of things have little to no use in Opera.

    While the Orkut variant is possible, it’s quite easy to turn iframes off in Opera. :P

    [/zealotry]

  4. Jungsonn Says:

    Yeah it’s actually traffic analysis, not as widely investigated in websec as I previously thought. timing techniques can tell alot.