Detailedseverity: MediumDraft

CAPEC-462Cross-Domain Search Timing

Abstraction
Detailed
Status
Draft
Severity
Medium

Description

An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.

Related weaknesses· 3

CWE-385CWE-352CWE-208

Related attack patterns· 1

CAPEC-54 (ChildOf)

Exploits3

TypeTargetConfidenceTier
WeaknessCovert Timing Channelcwe-385100%live
WeaknessObservable Timing Discrepancycwe-208100%live
WeaknessCross-Site Request Forgery (CSRF)cwe-352100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Generic Cross-Browser Cross-Domain Theft
CAPEC
Leveraging Active Adversary in the Middle Attacks to Bypass Same Origin Policy
CAPEC
JSON Hijacking (aka JavaScript Hijacking)
CAPEC
Cross Site Tracing
CAPEC
Cross Site Request Forgery
CAPEC
Cross-Site Scripting (XSS)
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.