Hybrid Timing
October 1, 2020
Hybrid Timing Attacks allow attackers to measure the sum of a group of factors that influence the final timing measurement. These factors include:
- Network delays
- Document parsing
- Retrieval and processing of subresources
- Code execution
Some of the factors differ in value depending on the application. This means that Network Timing might be more significant for pages with more backend processing, while Execution Timing can be more significant in applications processing and displaying data within the browser. Attackers can also eliminate some of these factors to obtain more precise measurements. For example, an attacker could preload all of the subresources by embedding the page as an iframe (forcing the browser to cache the subresources) and then perform a second measurement, which excludes any delay introduced by the retrieval of those subresources.
Frame Timing Attacks (Hybrid) #
If a page does not set Framing Protections, an attacker can obtain a hybrid measurement that considers all of the factors. This attack is similar to a Network-based Attack, but when the resource is retrieved, the page is rendered and executed by the browser (subresources fetched and JavaScript executed). In this scenario, the onload event only triggers once the page fully loads (including subresources and script execution).
var iframe = document.createElement('iframe');
// Set the URL of the destination website
iframe.src = "https://example.org";
document.body.appendChild(iframe);
// Measure the time before the request was initiated
var start = performance.now();
iframe.onload = () => {
// When iframe loads, calculate the time difference
var time = performance.now() - start;
console.log("The iframe and subresources took %d ms to load.", time)
}
Defense #
| Attack Alternative | SameSite Cookies (Lax) | COOP | Framing Protections | Isolation Policies |
|---|---|---|---|---|
| Frame Timing (Hybrid) | ✔️ | ❌ | ✔️ | FIP |