It'S All About The Timing presented at Blackhat USA 2007

by Marco Slaviero,

Tags: Security Web Firewall Malware

Summary : Timing attacks have been exploited in
the wild for ages. In recent times timing attacks have largely been
relegated to use only by cryptographers and cryptanalysts. In this
presentation SensePost analysts will show that timing attacks are still
very much alive and kicking on the Internet and fairly prevalent in web
applications (if only we were looking for them). The talk will cover
SensePost-aTime (our new SQL Injection tool that operates purely on
timing differences to extract data from injectable sites behind
draconian firewall rulesets), our new generic (timing aware) web
brute-forcer and lots of new twists on old favorites. We will discuss
the implications of timing on current JavaScript malware discussing XSRT
(Cross Site Request Timing) (because we can never have too many
acronyms!) and will demonstrate how reasonably effective this is against
the "Same Origin Policy"