Tools for Active and Passive Network Side-Channel Detection for Web Applications

Authors: 

Michael Lescisin and Qusay Mahmoud, University of Ontario Institute of Technology

Abstract: 

Since its creation, SSL/TLS has been the go-to solution for securing unencrypted web protocols - most commonly HTTP. The design of SSL/TLS, however, merely provides data stream encryption and authentication properties which often leads to the incorrect conclusion that by simply wrapping an unencrypted HTTP connection to a server with SSL/TLS, user privacy and web application behaviour integrity are guaranteed. Such type of information leak is unique in the sense that while certain web security vulnerabilities such as SQL injections have been well researched and thus there are known design patterns to avoid and penetration testing tools based on detecting known-to-be insecure design patterns, the state of research for the types of information leaks described in this paper still lags behind. In this paper, we discuss three design patterns that often result in side-channel information leaks along with three real-world websites which posses these vulnerabilities. Based on these three vulnerable design patterns we present a set of tools for detecting these types of side-channel information leaks given a training set of captured encrypted network traffic sessions.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {220568,
author = {Michael Lescisin and Qusay Mahmoud},
title = {Tools for Active and Passive Network {Side-Channel} Detection for Web Applications},
booktitle = {12th USENIX Workshop on Offensive Technologies (WOOT 18)},
year = {2018},
address = {Baltimore, MD},
url = {https://www.usenix.org/conference/woot18/presentation/lescisin},
publisher = {USENIX Association},
month = aug
}