35th Annual Computer Security Applications Conference (ACSAC 2019)

Full Program »
View File
View File

BakingTimer: Privacy Analysis of Server-Side Request Processing Time

Cookies were originally introduced as a way to provide state awareness to websites, and are now one of the backbones of the current web. However, their use is not limited to store the login information or to save the current state of user browsing. In several cases, third-party cookies are deliberately used for web tracking, user analytics, and for online advertisement, with the subsequent privacy loss for the end users.

However, cookies are not the only technique capable of retrieving the users’ browsing history. In fact, history sniffing techniques are capable of tracking the users’ browsing history without relying on any specific code in a third-party website, but only on code executed within the visited site. Many sniffing techniques have been proposed to date, but they usually have several limitations and they are not able to differentiate between multiple possible states within the target application.

In this paper we propose BakingTimer, a new history sniffing technique based on timing the execution of server-side request processing code. This method is capable of retrieving partial or complete user browsing history, it does not require any permission, and it can be performed through both first and third-party scripts. We studied the impact of our new history sniffing attack and discovered that it was capable of detecting prior visits to more than half of the 10K websites analyzed, which is the largest test performed to date to test this type of techniques.

Iskander Sanchez-Rola
University of Deusto, Symantec Research Labs

Davide Balzarotti

Igor Santos
University of Deusto


Powered by OpenConf®
Copyright©2002-2020 Zakon Group LLC