This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Test for Process Timing (OTG-BUSLOGIC-004)"
David Fern (talk | contribs) (Created page with "== Brief Description == It is possible that attackers can gather information on an application by monitoring the time it takes to complete a task or give a respond. Attackers...") |
David Fern (talk | contribs) |
||
Line 9: | Line 9: | ||
== Example == | == Example == | ||
− | Video gambling machines may take longer to process a transaction just prior to a large payout. This would allow astute gamblers to gamble minimum amounts until they see the long process time which would then prompt them to bet the maximum. | + | Video gambling/slot machines may take longer to process a transaction just prior to a large payout. This would allow astute gamblers to gamble minimum amounts until they see the long process time which would then prompt them to bet the maximum. |
== Testing Method == | == Testing Method == | ||
Line 21: | Line 21: | ||
== Related Test Cases == | == Related Test Cases == | ||
− | + | 4.7.2 Testing for Cookies attributes (OTG-SESS-002) | |
+ | |||
+ | 4.7.8 Test Session Timeout (OTG-SESS-008) | ||
+ | |||
+ | 4.11.1 Test time synchronisation (OTG-LOG-001) | ||
+ | |||
+ | 4.13.4 Test excessive rate (speed) of use limits (OTG-DOS-004) | ||
== References == | == References == |
Revision as of 13:34, 16 December 2013
Brief Description
It is possible that attackers can gather information on an application by monitoring the time it takes to complete a task or give a respond. Attackers can also manipulate and break designed business process flows by simply keeping active sessions open and not submitting their transactions in the expected time frame.
Issue
Processing timing may give/leak information on what is being done in the application/system background processes. If an application allows users to guess what the particulate next outcome will be by processing time variations, users will be able to adjust accordingly and change behavior based on the expectation.
Example
Video gambling/slot machines may take longer to process a transaction just prior to a large payout. This would allow astute gamblers to gamble minimum amounts until they see the long process time which would then prompt them to bet the maximum.
Testing Method
• Identifying this type of issues requires that the tester evaluate and monitor the times that each transaction takes to complete and to see if an attacker would be able to guess the outcome based on the time computations take.
Test Tools
None
Related Test Cases
4.7.2 Testing for Cookies attributes (OTG-SESS-002)
4.7.8 Test Session Timeout (OTG-SESS-008)
4.11.1 Test time synchronisation (OTG-LOG-001)
4.13.4 Test excessive rate (speed) of use limits (OTG-DOS-004)
References
None
Remediation
Develop applications with processing time in mind. If attackers could possibly gain some type of advantage from knowing the different processing times and results add extra steps or processing so that no matter the results they are provided in the same time frame.