Hybrid Timing

Hybrid Timing

October 1, 2020
Abuse iframes
Category Attack
Defenses Fetch Metadata, SameSite Cookies, COOP

Hybrid Timing Attacks allow attackers to measure the sum of a bunch of factors that influence the final timing measurement. These factors include:

Some of the factors differ in value depending on the application. This means that Network Timing might be more significant in pages with more backend processing while Execution Timing can be more significant in applications processing and displaying data within the browser. Attackers can also eliminate some of these factors to obtain more precise measurements. For example, one could preload all the subresources by embedding the page as an iframe (forcing the browser to cache the subresources) and do a second measurement which will exclude any delay introduced by the retrieval of those subresources.

Frame Timing Attacks (Hybrid) #

If a page does not set Framing Protections, an attacker can obtain a hybrid measurement that considers all the factors. This attack is similar to the Network-based Attack, but when the resource is retrieved the page is rendered and executed by the browser (subresources fetched and JavaScript executed). In this scenario, the onload event only triggers once the page fully loads (including subresources and script execution).

var iframe = document.createElement('iframe');
// Set the URL of the destination website
iframe.src = "https://example.org";
document.body.appendChild(iframe);

// Measure the time before the request was initiated
var start = performance.now();

iframe.onload = () => {
  // When iframe loads, calculate the time difference
  var time = performance.now() - start;
  console.log("The iframe and subresources took %d ms to load.", time)
}

Defense #

Attack Alternative SameSite Cookies (Lax) COOP Framing Protections Isolation Policies
Frame Timing (Hybrid) ✔️ ✔️ FIP