Common Attack Pattern Enumeration and Classification
A Community of Knowledge Resource for Building Secure Software
An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's single origin policy prevents the attacker from directly reading the server responses (in the absense of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.
The timing for these responses leaks information. For instance, if a victim has an active session with their online e-mail account, an attacker could issue search requests in the victim's mailbox. While the attacker is not able to view the responses, based on the timings of the responses, the attacker could ask yes / no questions as to the content of victim's e-mails, who the victim e-mailed, when, etc. This is but one example; There are other scenarios where an attacker could infer potentially sensitive information from cross domain requests by timing the responses while asking the right questions that leak information.
Ability to issue GET / POST requests cross domain
Java Script is enabled in the victim's browser
The victim has an active session with the site from whicht the attacker would like to receive information
The victim's site does not protect search functionality with cross site request forgery (CSRF) protection
Design: The victim's site could protect all potentially sensitive functionality (e.g. search functions) with cross site request forgery (CSRF) protection and not perform any work on behalf of forged requests
Design: The browser's security model could be fixed to not leak timing information for cross domain requests
Chris Evans. "Cross-Domain Search Timing". http://scarybeastsecurity.blogspot.com/2009/12/cross-domain-search-timing.html. 2009-12-11.