Full Report
Rob had a rant on his site on the timing attack, with a CSRF twist.. We met him after our Vegas talk, but im not really sure how his attack differs from our published one.. my on-list response: -snip- From: haroon meer To: [email protected] Cc: [email protected] Subject: Re: [WEB SECURITY] Performing Distributed Brute Forcing of CSRF vulnerable login pages Hi Robert.. Thanks for the kind words on the talk.. If you check out the visio at: http://www.sensepost.com/blogstatic/2007/08/dxsrt.png you will see that its pretty much the same attack.. In a shameless display of self-pimpage, check out the paper http://www.sensepost.com/research/squeeza/dc-15-meer_and_slaviero-WP.pdf from page 12.. Figure 23 for example shows the results in a victim/zombies browser, after he has visited our page.. Effectively he tries the userlist we send him (in this case on a standard squirrelmail login page). Once he detects a timing diff (again using a trivial algorithm to avoid latency disparity) he simply makes another request to the attacker to report his success..
Analysis Summary
# Tool/Technique: Distributed Timing Attack with CSRF Twist (SensePost/Rob Auger Concept)
## Overview
This centers around a technique for performing distributed brute-forcing attacks, specifically targeting login pages vulnerable to Cross-Site Request Forgery (CSRF) by leveraging **timing differences** in server responses. The attack attempts to guess credentials (likely passwords) by observing small time variations caused by the server validating a username or a specific password combination. The brute-forcing is distributed, potentially using victim machines ("zombies") to perform the probing requests after being infected or manipulated via a web page visit.
## Technical Details
- Type: Technique
- Platform: Web Applications (Server-side authentication mechanisms)
- Capabilities: Distributed credential guessing; detection of successful login attempts based on response time differences; report back of successful guesses to an attacker-controlled endpoint.
- First Seen: Discussion contextually places this around late 2007 (Vegas talk timeframe).
## MITRE ATT&CK Mapping
The core activity involves exploiting application logic to gain unauthorized access.
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (If the distributed component utilizes a compromised browser visiting an attacker-controlled page)
- **TA0006 - Credential Access**
- T1591 - Spearphishing Link (If the technique relies on victims clicking a malicious link leading to the setup page)
- **TA0004 - Privilege Escalation** (Indirectly, by gaining access via the brute force)
## Functionality
### Core Capabilities
- **Distributed Brute-Forcing:** Utilizing a list of potential credentials (userlist) and distributing the testing load, potentially across compromised user browsers ("zombies").
- **Timing Analysis:** Employing a "trivial algorithm" to detect timing differentials in server responses across multiple requests, differentiating between a successful authentication attempt and a failure or a non-existent user.
### Advanced Features
- **CSRF Twist:** The attack seems to leverage CSRF to force the victim's browser to initiate the validation requests against the target login page, possibly embedding the logic within a page visited by the victim.
- **Success Reporting:** Once a timing difference indicating a successful validation (e.g., correct password for a known user) is detected, the compromised browser (zombie) makes a subsequent request back to the attacker to report the successful finding.
## Indicators of Compromise
As this describes a conceptual attack technique rather than specific malware, IOCs are behavioral.
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Requests originating from end-user browsers to the target login server, followed by requests from those same user agents reporting status back to an attacker-controlled reporting domain (URLs defanged: `hxxp://attacker_c2_domain/report_success[]`).
- Behavioral Indicators: High frequency of identical login trial requests originating from a single browser session/IP against a target login endpoint, followed by unexpected out-of-band communication from the same host to an external, non-standard server.
## Associated Threat Actors
This appears to be security research, initially discussed between SensePost researchers (Haroon Meer) and Robert Auger (OWASP/WASC). It is a documented exploit technique rather than a specific threat actor's toolset, though offensive security professionals could adopt it.
## Detection Methods
- Signature-based detection: Unlikely, as the mechanism relies on benign HTTP requests.
- Behavioral detection: Monitoring for unusually high rates of login submissions from a single user session/browser instance where the requests appear automated or statistically grouped. Detection of follow-up communication from the browser to an external C2 unrelated to the target site.
- YARA rules: N/A
## Mitigation Strategies
- **CSRF Prevention:** Implementing robust anti-CSRF tokens on all state-changing requests, particularly login forms. This invalidates the attacker's ability to force requests from the victim's browser.
- **Timing/Rate Limiting:** Implementing strict rate limiting on login endpoints (per IP and per session).
- **Timing Obfuscation:** Application developers should strive to make server response times for failed vs. successful authentications as uniform as possible, eliminating timing side-channels.
- **User Visibility:** If distributed brute-forcing is suspected (e.g., multiple distinct users timing out the same password trials simultaneously), investigate session anomalies.
## Related Tools/Techniques
- Timing Attacks (General exploitation of timing differences).
- Distributed Credential Spraying/Brute-Forcing.
- CSRF exploitation for forced requests.