A timing attack with CSS selectors and Javascript

added by JavaScript Kicks
10/8/2018 6:27:47 AM

477 Views

Have you ever encountered a website that runs jQuery(location.hash)? Seemingly pretty harmless, right? location.hash always starts with a "#" so all this code does is execute a CSS query selector. It turns out that's enough to perform a timing attack that can extract almost any secret string from the HTML.


0 comments