The purpose of this article is to inform the reader about side-channel attacks, in particular attacks based on response time delta measurement against web applications. The reader is briefly introduced to the security model of an application and the definition of "side channel". Next, a tour of the time-delay attack methodology against web applications is presented. Finally, a possible countermeasure to this type of attack by software engineers is discussed.
Any application communicates with the outside world through input/output channels designed for this purpose. For example, we can think of a web application that communicates with the user via a browser interface and with a database hosted on an external server as if it had two communication channels: one with the user who accesses it using the browser, via the HTTP protocol, and the other with the database it uses, via an SQL-based protocol. These input/output channels are called "security boundaries", to denote that the application cannot "trust", a priori, anything that comes from the outside world (input). Likewise, the application must be careful about what it externalizes (output), in order to avoid returning information in its output that it shouldn't have.
The set of all trust boundaries of an application is called an "attack surface". Therefore, in order to protect itself from attacks, the application must be able to recognize malicious input in order to take the applicable defensive action (for example, stop accepting input from the IP from which the malicious input originated, create a log line for the event that occurred, block the user account associated with the input, etc.) In addition, the application must avoid, at all costs, returning as output information that could be beneficial to an adversary who has provided malicious input. Therefore, when designing an application, the software engineers in charge need to be very familiar with all the trust boundaries that make up the attack surface of the developed application, so that they are able to protect it from malicious entities.
The problem is that it is possible for some trust boundaries, often quite subtle, to go unnoticed during the design of the application, resulting in some attack possibilities. These "forgotten" trust boundaries, which correspond to communication channels not mapped in the application model during design, are called "side channels" and can be exploited by malicious entities in homonymous attacks, known as "side channel attacks". The following figure summarizes the concepts introduced up to this point.