Web Timing Attacks That Actually Work - Practical Techniques and Tools

Explore practical web timing attacks in this 43-minute conference talk from DEF CON 32 that reveals how to exploit timing oracles hidden within websites. Discover novel attack concepts for extracting server secrets, including masked misconfigurations, blind data-structure injection, and hidden routes to restricted areas. Learn how recent advances have made these attacks both accurate and efficient, enabling reliable detection of sub-millisecond differentials in just ten seconds without special configurations. Gain hands-on experience with battle-tested open-source tools for both automated exploitation and custom attack scripting, and participate in a CTF challenge to practice these new skills. Master a refined methodology for transforming theoretical attack concepts into practical exploits, developed through extensive testing across thousands of websites. Understand how to harness this powerful and often overlooked side-channel for effective security testing.