[WEB SECURITY] Normalization of page response times to prevent timing attacks in a production environment?

Ryan Barnett rcbarnett at gmail.com
Mon May 5 14:57:44 EDT 2008

Timing attacks such as this (and Blind SQL Injections that use waitfor,
etc...) are certainly interesting research areas especially when
organizations no longer return detailed error message text.

I have used ModSecurity's "pause" action (
on several previous occassions.  Most of my research was based on attempting
to prolong an attackers automated scans.  Sidenote - this was for Government
clients and not any eCommerce sites.  The idea was that they wanted to
conduct tracebacks so they wanted to "keep them on the line" so to speak as
long as possible.

For this type of application of the pause action, I would guess that it
could work to help address this type of enumeration.  If you look at one of
the example graphics they showed (
http://www.sensepost.com/blogstatic/2007/08/dxsrt.png) you can see that in
the scan - the failed attempts returned in 2ms while the successful one took
5ms.  So, as an example, if you were to profile the response times for
failed authentications to your site's login page vs. a successful one, you
could use ModSecurity's pause action to slightly slow down the processing
for the failed auths to match that of your successful one.

Keeping the 2ms for failed and 5ms for successful, then here would be
and example rule to delay the failed auth response for 3ms (which would then
match the time for a successful one) -

 SecRule REQUEST_URI "@streq /path/to/login.php" \
SecRule RESPONSE_BODY "your sign in information is not valid"

Hope this info helps.

Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
Author: Preventing Web Attacks with Apache

On Mon, May 5, 2008 at 2:17 PM, <bugtraq at cgisecurity.net> wrote:

> Hello List,
> Has anyone had any experience with normalizing page response times on
> timing attack vulnerable pages in a production environment?
> If so would you care to share your experiences with the list?
> Background:
> http://www.sensepost.com/blog/1303.html
> Regards,
> - Robert
> http://www.webappsec.org/
> http://www.cgisecurity.com/
> http://www.qasec.com/
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080505/1247225a/attachment.html>

More information about the websecurity mailing list