Hybrid Timing

Hybrid Timing

October 1, 2020
Abuse iframes
Category Attack
Defenses Fetch Metadata, SameSite Cookies, COOP

Hybrid Timing Attacks allow attackers to measure the sum of a group of factors that influence the final timing measurement. These factors include:

Some of the factors differ in value depending on the application. This means that Network Timing might be more significant for pages with more backend processing, while Execution Timing can be more significant in applications processing and displaying data within the browser. Attackers can also eliminate some of these factors to obtain more precise measurements. For example, an attacker could preload all of the subresources by embedding the page as an iframe (forcing the browser to cache the subresources) and then perform a second measurement, which excludes any delay introduced by the retrieval of those subresources.

Frame Timing Attacks (Hybrid) #

If a page does not set Framing Protections, an attacker can obtain a hybrid measurement that considers all of the factors. This attack is similar to a Network-based Attack, but when the resource is retrieved, the page is rendered and executed by the browser (subresources fetched and JavaScript executed). In this scenario, the onload event only triggers once the page fully loads (including subresources and script execution).

var iframe = document.createElement('iframe');
// Set the URL of the destination website
iframe.src = "https://example.org";
document.body.appendChild(iframe);

// Measure the time before the request was initiated
var start = performance.now();

iframe.onload = () => {
  // When iframe loads, calculate the time difference
  var time = performance.now() - start;
  console.log("The iframe and subresources took %d ms to load.", time)
}

Defense #

Attack Alternative SameSite Cookies (Lax) COOP Framing Protections Isolation Policies
Frame Timing (Hybrid) ✔️ ✔️ FIP