timing_attack 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: d03f591c320a5983d1a95d594e0ac067f79f9019
+  data.tar.gz: 587b251ddbe7ee8698fb9f1f6309ce2c0934b915
+SHA512:
+  metadata.gz: 599c51ebac9e5b3ca49fec6d3364682427de3d6c85eda144b981c7138393cb658b2a88ac11f5a1eecef7b768569c3eb212a151634a34012758af18267fa05a26
+  data.tar.gz: c61b9cf40bcb33a9beed350d1f39b79a7f93c67430100c9fb021ca6bd23a72defc7a8814b7e7e5e78db61b2bbefe74ea02d3a5fa3a8eaf40e54433b6ba4e39bd

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.gem

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.2.4
+before_install: gem install bundler -v 1.12.4

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in timing_attack.gemspec
+gemspec

data/README.md

@@ -0,0 +1,89 @@
+# timing_attack
+
+Profile web applications, sorting inputs into two categories based on
+discrepancies in the application's response time.
+
+## Installation
+
+```bash
+% gem install timing_attack
+```
+
+## Usage
+
+```
+timing_attack [options] -a <input> -b <input> -u <target> <inputs>
+    -u, --url URL                    URL of endpoint to profile
+    -a, --a-example A_EXAMPLE        Known test case that belongs to Group A
+    -b, --b-example B_EXAMPLE        Known test case that belongs to Group B
+    -n, --number NUM                 Requests per input
+        --a-name A_NAME              Name of Group A
+        --b-name B_NAME              Name of Group B
+    -p, --post                       Use POST, not GET
+    -q, --quiet                      Quiet mode (don't display progress bars)
+    -v, --version                    Print version information
+    -h, --help                       Display this screen
+```
+
+**NB**: If the provided examples are invalid, discvery will fail.  Always check
+your results!  If very similar inputs are being sorted differently, you may have
+used bad training data.
+
+### An example
+Consider that we we want to gather information from a Rails server running
+locally at `http://localhost:3000`.  Let's say that we know the following:
+* `charles@poodles.com` exists in the database
+* `invalid@fake.fake` does not exist in the database
+
+And we want to know if `candidate@address.com` and `other@address.com` exist in
+the database.
+
+We execute (using `-q` to suppress the progress bar)
+```bash
+% timing_attack -q -u http://localhost:3000/login \
+                -a charles@poodles.com -b invalid@fake.fake \
+                candidate@address.com other@address.com
+```
+```
+Group A:
+  candidate@address.com         ~0.1969s
+Group B:
+  other@address.com             ~0.1096s
+```
+`candidate@address.com` is in the same group as `charles@poodles.com` (Group A),
+while `other@address.com` is in Group B with `invalid@fake.fake`
+Thus we know that `candidate@address.com` exists in the database, and that
+`other@example.com` does not.
+
+To make things a bit friendlier, we can rename groups with the `--a-name` and
+`--b-name` options:
+```bash
+% timing_attack -q -u http://localhost:3000/login \
+                -a charles@poodles.com -b invalid@fake.fake \
+                --a-name 'Valid logins' --b-name 'Invalid logins' \
+                candidate@address.com other@address.com
+```
+```
+Valid logins:
+  candidate@address.com         ~0.1988s
+Invalid logins:
+  other@address.com             ~0.1065s
+```
+
+## Contributing
+
+Bug reports and pull requests are welcome [here](https://github.com/ffleming/timing_attack).
+
+## Disclaimer
+
+TimingAttack is quick and dirty.  It is meant to exploit *known* timing attacks based
+upon two known values.  TimingAttack is *not* for discovering the existence of
+timing-based vulnerabilities.
+
+Also, don't use TimingAttack against machines that aren't yours.
+
+## Todo
+* Tests
+* Better heuristic than naïve mean comparison
+* Auto-discovering heuristic that doesn't require example test cases
+* Customizable query parameters

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "timing_attack"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/exe/timing_attack

@@ -0,0 +1,41 @@
+#!/usr/bin/env ruby
+require 'timing_attack'
+require 'optparse'
+
+options = {}
+opt_parser = OptionParser.new do |opts|
+  opts.program_name = File.basename(__FILE__)
+  opts.banner = "#{opts.program_name} [options] -a <input> -b <input> -u <target> <inputs>"
+  opts.on("-u URL", "--url URL", "URL of endpoint to profile") { |str| options[:url] = str }
+  opts.on("-a A_EXAMPLE", "--a-example A_EXAMPLE", "Known test case that belongs to Group A") { |str| options[:a_example] = str }
+  opts.on("-b B_EXAMPLE", "--b-example B_EXAMPLE", "Known test case that belongs to Group B") { |str| options[:b_example] = str }
+  opts.on("-n NUM", "--number NUM", "Requests per input") { |num| options[:iterations] = num.to_i }
+  opts.on("--a-name A_NAME", "Name of Group A") { |str| options[:a_name] = str }
+  opts.on("--b-name B_NAME", "Name of Group B") { |str| options[:b_name] = str }
+  opts.on("-p", "--post", "Use POST, not GET") { |bool| options[:method] = bool ? :post : :get }
+  opts.on("-q", "--quiet", "Quiet mode (don't display progress bars)") { |bool| options[:verbose] = !bool }
+  opts.on_tail("-v", "--version", "Print version information") do
+    gem = Gem::Specification.find_by_name('timing_attack')
+    puts "#{gem.name} #{gem.version}"
+    exit
+  end
+  opts.on_tail("-h", "--help", "Display this screen") { puts opts ; exit }
+end
+
+begin
+  opt_parser.parse!
+rescue OptionParser::InvalidOption => e
+  STDERR.puts e.message
+  puts opt_parser
+  exit
+end
+
+begin
+  atk = TimingAttack::Attacker.new(inputs: ARGV, options: options)
+  atk.run!
+  puts atk
+rescue ArgumentError => e
+  STDERR.puts e.message
+  puts opt_parser
+  exit
+end

data/lib/timing_attack/attacker.rb

@@ -0,0 +1,130 @@
+module TimingAttack
+  class Attacker
+    def initialize(inputs: [], options: {})
+      @options = DEFAULT_OPTIONS.merge(options)
+      unless @options.has_key? :width
+        @options[:width] = [a_name, b_name, *inputs].map(&:length).push(30).sort.last
+      end
+      %i(a_example b_example url).each do |arg|
+        raise ArgumentError.new("#{arg} is a required argument") unless options.has_key? arg
+      end
+      @attacks = inputs.map { |input| TestCase.new(input: input, options: @options) }
+    end
+
+    def run!
+      puts "Target: #{url}" if verbose?
+      warmup!
+      benchmark!
+      attack!
+    end
+
+    def to_s
+      ret = ""
+      if verbose?
+        ret << "Benchmark results\n"
+        ret << "  #{a_name.ljust(width)}~#{sprintf('%.4f', a_benchmark.mean_time,)}s\n"
+        ret << "  #{b_name.ljust(width)}~#{sprintf('%.4f', b_benchmark.mean_time)}s\n"
+      end
+      ret << attack_string
+    end
+
+    private
+
+    attr_reader :attacks, :options
+
+    def warmup!
+      @warmup_test ||= TestCase.new(input: a_example, options: options)
+      2.times { @warmup_test.test! }
+    end
+
+    def benchmark!
+      iterations.times do
+        [a_benchmark, b_benchmark].each do |test_case|
+          test_case.test!
+          benchmark_bar.increment
+        end
+      end
+    end
+
+    def attack!
+      iterations.times do
+        attacks.each do |attack|
+          attack.test!
+          attack_bar.increment
+        end
+      end
+      attacks.each { |attack| attack.derive_group_from(a_test: a_benchmark, b_test: b_benchmark) }
+    end
+
+    def a_benchmark
+      @a_benchmark ||= TestCase.new(input: a_example, options: options)
+    end
+
+    def b_benchmark
+      @b_benchmark ||= TestCase.new(input: b_example, options: options)
+    end
+
+    def indent(str)
+      "  #{str.ljust(width)}"
+    end
+
+    def a_attacks
+      attacks.select { |a| a.group_a? }
+    end
+
+    def b_attacks
+      attacks.select { |a| a.group_b? }
+    end
+
+    def attack_string
+      ret = ""
+      unless a_attacks.empty?
+        ret << "#{a_name}:\n"
+        ret << a_attacks.map {|a| indent(a.to_s)}.join("\n")
+      end
+      unless b_attacks.empty?
+        ret << "\n#{b_name}:\n"
+        ret << b_attacks.map {|a| indent(a.to_s)}.join("\n")
+      end
+      "#{ret}\n"
+    end
+
+    def attack_bar
+      return null_bar unless verbose?
+      @attack_bar ||= ProgressBar.create(title: "  Attacking".ljust(15),
+                                         total: iterations * attacks.length,
+                                         format: bar_format
+                                        )
+    end
+
+    def benchmark_bar
+      return null_bar unless verbose?
+      @benchmark_bar ||= ProgressBar.create(title: "  Benchmarking".ljust(15),
+                                            total: iterations * 2,
+                                            format: bar_format
+                                           )
+    end
+
+    def bar_format
+      @bar_format ||= "%t (%E) |%B|"
+    end
+
+    def null_bar
+      @null_bar_klass ||= Struct.new('NullProgressBar', :increment)
+      @null_bar ||= @null_bar_klass.new
+    end
+
+    %i(iterations url verbose a_name b_name a_example b_example width method).each do |sym|
+      define_method(sym) { options.fetch sym }
+    end
+    alias_method :verbose?, :verbose
+
+    DEFAULT_OPTIONS = {
+      verbose: true,
+      a_name: "Group A",
+      b_name: "Group B",
+      method: :get,
+      iterations: 5
+    }.freeze
+  end
+end

data/lib/timing_attack/test_case.rb

@@ -0,0 +1,56 @@
+module TimingAttack
+  class TestCase
+    attr_reader :input
+    def initialize(input: , options: {})
+      @input = input
+      @options = options
+      @times = []
+    end
+
+    def test!
+      httparty_opts = {
+        body: {
+          login: input,
+          password: "test" * 1000
+        },
+        timeout: 5
+      }
+      before = Time.now
+      HTTParty.send(options.fetch(:method), options.fetch(:url), httparty_opts)
+      diff = (Time.now - before)
+      times.push(diff)
+    end
+
+    def to_s
+      "#{input.ljust(options.fetch(:width))}~#{sprintf('%.4f', mean_time)}s"
+    end
+
+    def derive_group_from(a_test: , b_test: )
+      unless a_test.is_a?(TestCase) && b_test.is_a?(TestCase)
+        raise ArgumentError.new("a_test and b_test must be TestCases")
+      end
+      d_a = (mean_time - a_test.mean_time).abs
+      d_b = (mean_time - b_test.mean_time).abs
+      @group_a = (d_a < d_b)
+    end
+
+    def group_a
+      raise ArgumentError.new("Have not yet determined group membership") if @group_a.nil?
+      @group_a
+    end
+    alias_method :group_a?, :group_a
+
+    def group_b
+      !group_a
+    end
+    alias_method :group_b?, :group_b
+
+    def mean_time
+      times.reduce(:+) / times.size.to_f
+    end
+
+    private
+
+    attr_reader :times, :options
+  end
+end

data/lib/timing_attack/version.rb

@@ -0,0 +1,3 @@
+module TimingAttack
+  VERSION = "0.1.0"
+end

data/lib/timing_attack.rb

@@ -0,0 +1,8 @@
+require 'httparty'
+require 'ruby-progressbar'
+require "timing_attack/version"
+require "timing_attack/test_case"
+require "timing_attack/attacker"
+
+module TimingAttack
+end

data/timing_attack.gemspec

@@ -0,0 +1,27 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'timing_attack/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "timing_attack"
+  spec.version       = TimingAttack::VERSION
+  spec.authors       = ["Forrest Fleming"]
+  spec.email         = ["ffleming@gmail.com"]
+
+  spec.summary       = "Performtiming attacks against web applications"
+  spec.description   = "Profile web applications by noting differences in response times based on input values"
+  spec.homepage      = "https://www.github.com/ffleming/timing_attack"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+  spec.licenses      = %q(MIT)
+
+  spec.add_runtime_dependency "ruby-progressbar", "~> 1.8"
+  spec.add_runtime_dependency "httparty", "~> 0.13.3"
+  spec.add_development_dependency "bundler", "~> 1.12"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+end

metadata

@@ -0,0 +1,130 @@
+--- !ruby/object:Gem::Specification
+name: timing_attack
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Forrest Fleming
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2016-07-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: ruby-progressbar
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.13.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.13.3
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: Profile web applications by noting differences in response times based
+  on input values
+email:
+- ffleming@gmail.com
+executables:
+- timing_attack
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- exe/timing_attack
+- lib/timing_attack.rb
+- lib/timing_attack/attacker.rb
+- lib/timing_attack/test_case.rb
+- lib/timing_attack/version.rb
+- timing_attack.gemspec
+homepage: https://www.github.com/ffleming/timing_attack
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.8
+signing_key: 
+specification_version: 4
+summary: Performtiming attacks against web applications
+test_files: []