Automated Black-Box Detection of Side-Channel Vulnerabilities in Web Applications
Web applications divide their state between the client and the server. The frequent and highly dynamic client-server communication that is characteristic of modern web applications leaves them vulnerable to side-channel leaks, even over encrypted connections. The authors describe a black-box tool for detecting and quantifying the severity of side-channel vulnerabilities by analyzing network traffic over repeated crawls of a web application. By viewing the adversary as a multi-dimensional classifier, they develop a methodology to more thoroughly measure the distinguishably of network traffic for a variety of classification metrics.