Connection Pool
October 1, 2020
Abuse
Connection Pool,
Browser Limits
Category
Attack
Defenses
Fetch Metadata,
SameSite Cookies
Another way to measure the network timing of a request consists of abusing the socket pool of a browser 1. Browsers use sockets to communicate with servers. As the operating system and the hardware it runs on have limited resources, browsers have to impose a limit. To exploit the existence of this limit, attackers can: Check what the limit of the browser is, for example 256 global sockets. Block \(255\) sockets for a long period of time by performing \(255\) requests to different hosts that simply hang the connection Use the \(256^{th}\) socket by performing a request to the target page. ...