• Services
  • Blog
  • Knowledge Base
  • Contact
our services
  • Application Penetration Testing

    • Username Enumeration
    • iOS Frida Objection Pentesting Cheat Sheet
    • URL Redirection – Attack and Defense
    • Jailbreaking iOS 13 with unc0ver
    • X-Runtime Header Timing Attacks
    • wkhtmltopdf File Inclusion Vulnerability
    • API Mass Assignment Vulnerability
    • Web Server TRACE Enabled
  • AWS Pentesting

    • Protecting S3 buckets using IAM and KMS
    • Misconfigured S3 Bucket
    • S3 Storage Does Not Require Authentication
  • DevOps Security

    • Securing Travis CI
  • Encryption

    • TLS 1.0 Initialization Vector Implementation Information Disclosure Vulnerability
    • OpenSSL ‘ChangeCipherSpec’ (CCS) MiTM Vulnerability
    • Null Ciphers Supported
    • ‘Export Ciphers’ Enabled
  • Network Penetration Testing

    • .NET Handler Enumeration
    • TLS_FALLBACK_SCSV Not Supported
    • PHP Easter Eggs Enabled
    • MySQL Multiple Vulnerabilities
    • Debian Predictable Random Number Generator Weakness
    • Cisco IKE Fragmentation Vulnerability
  • Pentesting Fundamentals

    • Essential Wireshark Skills for Pentesting
    • Testing Cookie Based Session Management
  • Windows Hardening

    • Resolving “Windows NetBIOS / SMB Remote Host Information Disclosure” (2020)
Application Penetration Testing

X-Runtime Header Timing Attacks

our services

The X-Runtime HTTP response header is used to provide the time (in seconds) an application takes to process each request. This behavior can be exploited in harvesting attacks where the value can be used to confirm whether a piece of information such as a username is valid or not.

Exploitation Example

During a penetration test an engineer notices that a login page takes approximately 400ms longer to process login failures for valid usernames as opposed to invalid usernames. Below shows a login request with a known valid username and an invalid password:

POST /api/v1/login HTTP/1.1
[..]

username=admin&password=test

HTTP/1.1 200 OK
X-Runtime: 0.615905

The same request is then made with an invalid username:

POST /api/v1/login HTTP/1.1
[..]

username=admin937380&password=test

HTTP/1.1 200 OK
X-Runtime: 0.203115

The X-Runtime value is consistently higher than accounts which are known to be invalid. The engineer believes that the application checks if the username exists, and if so, validates the password with a function such as bcrypt. If the username does not exist, no password lookup is necessary, and the application returns. The workflow creates an observable difference between the X-Runtime values of valid vs invalid usernames.

Remediation

It is recommended the X-Runtime header be removed from pages which may be susceptible to harvesting attacks. The X-Runtime header most commonly originates in Rails applications via the Rack library.

Method 1 (recommended)

The header can be unset from Rack with an initializer file containing the following:

Rails.application.config.middleware.delete(Rack::Runtime)

Method 2

For environments where Rails config files cannot be modified, web server software may also be used to remove this header from the response. For Apache systems the following can be used to strip the header from responses:

First enable mod_headers:

$ sudo a2enmod headers

Unset the X-Runtime header:

Header unset X-Runtime
← Securing Travis CI
Testing Cookie Based Session Management →
  • Services
  • Blog
  • Knowledge Base
  • Contact
Looking for a better
penetration test?

Make an appointment with an expert today

    Request a meeting invite? (EDT)

    Contact ASAP3:00 PM Today4:00 PM Today1:00 PM Tomorrow3:00 PM TomorrowOther / Just Send Info