> For the complete documentation index, see [llms.txt](https://heinosass.gitbook.io/leet-sheet/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://heinosass.gitbook.io/leet-sheet/web-app-hacking/server-attacks/timing-based-side-channel-attacks.md). # Timing-Based Side-Channel Attacks If a correct password/cookie/token/whatever takes longer to process than an incorrect one, then you can infer the correctness of the token based on the time it takes to get a reply from the server. For example, this can happen if the auth cookie is checked with a for-loop for whatever reason. [Web Timing Attacks made practical](https://www.youtube.com/watch?v=KirTCSAvt9M): * Look at data at the network layer (tcp data packets, don’t measure handshakes) * To determine a if there’s a timing attack, send two requests at the same time - a correct one and an incorrect one. If there’s a time difference, then there’s probably a timing attack * You can do statistics based on those request pairs. You can use a Kalman filter and L-estimators to filter out noise and get a better estimate. * Nanown is a tool that automates this \ [You can also put javascript on your page that makes conclusions based on the size of returned resources](https://tom.vg/2016/08/browser-based-timing-attacks/). For example a social network with users on the “light side” and “dark side”. If you make a GET request (through img tag) to socialnetwork.com/darkside and the returned resource size is large, then the request went though and he’s on the dark side. If the resource size is small, then he’s on the light side. The way you measure resource size is by the time it takes to process it client-side (after it’s been downloaded). But this can mostly just be used for making conclusions, not any real exploitation. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://heinosass.gitbook.io/leet-sheet/web-app-hacking/server-attacks/timing-based-side-channel-attacks.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.