Securing Timeout Instructions in Web Applications

Free registration required

Executive Summary

Timeout mechanisms are a useful feature for web applications. However, these mechanisms need to be used with care because, if used as-is, they are vulnerable to timing attacks. This paper focuses on internal timing attacks, a particularly dangerous class of timing attacks, where the attacker needs no access to a clock. In the context of client-side web application security, the authors present JavaScript-based exploits against the timeout mechanism of the DOM (Document Object Model), supported by the modern browsers. Their experimental findings reveal rather liberal choices for the timeout semantics by different browsers and motivate the need for a general security solution. They propose a foundation for such a solution in the form of a runtime monitor.

  • Format: PDF
  • Size: 161.6 KB