CAPEC-462: Cross-Domain Search Timing

Description

An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.

Extended Description

For GET requests an attacker could for instance leverage the "img" tag in conjunction with "onload() / onerror()" javascript events. For the POST requests, an attacker could leverage the "iframe" element and leverage the "onload()" event. There is nothing in the current browser security model that prevents an attacker to use these methods to time responses to the attackers' cross domain requests. The timing for these responses leaks information. For instance, if a victim has an active session with their online e-mail account, an attacker could issue search requests in the victim's mailbox. While the attacker is not able to view the responses, based on the timings of the responses, the attacker could ask yes / no questions as to the content of victim's e-mails, who the victim e-mailed, when, etc. This is but one example; There are other scenarios where an attacker could infer potentially sensitive information from cross domain requests by timing the responses while asking the right questions that leak information.

Severity :

Medium

Possibility :

Type :

Detailed

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-54: Query System for Information Query System for Information

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Ability to issue GET / POST requests cross domainJava Script is enabled in the victim's browserThe victim has an active session with the site from which the attacker would like to receive informationThe victim's site does not protect search functionality with cross site request forgery (CSRF) protection

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Low Some knowledge of Java Script

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

Ability to issue GET / POST requests cross domain

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-208: Observable Timing Discrepancy

CWE-352: Cross-Site Request Forgery (CSRF)

CWE-385: Covert Timing Channel

Visit http://capec.mitre.org/ for more details.