Bypassing WAFs and Reverse Proxies with Single-Packet Timing Attacks

TLDR: Traditional web timing attacks are often unreliable due to network jitter and server-side noise, but James Kettle’s new "single-packet attack" methodology solves this by leveraging HTTP/2 concurrency. By sending multiple requests within a single TCP packet, researchers can now perform high-precision parameter discovery and bypass WAFs that previously blocked timing-based probes. This technique is a game-changer for finding hidden attack surfaces and exploiting internal services that were previously considered unreachable.

Timing attacks have long been the "black sheep" of web security research. They are theoretically powerful, capable of extracting sensitive data or mapping internal network topologies, but in practice, they are often dismissed as too noisy or unreliable for real-world engagements. Most pentesters have spent years watching their carefully crafted timing payloads get swallowed by the unpredictable latency of modern cloud infrastructure. However, the landscape of side-channel analysis just shifted. By moving away from standard HTTP/1.1 request-response cycles and embracing the concurrency features of HTTP/2, we can now effectively silence the noise that has historically rendered these attacks useless.

The Death of Network Jitter

The fundamental problem with traditional timing attacks is the signal-to-noise ratio. When you measure the time it takes for a server to respond to a request, you are measuring a composite of network latency, server processing time, and the overhead of the underlying protocol stack. Network jitter—the variance in packet arrival times—is the primary enemy. If your target's response time fluctuates by 50ms due to network congestion, you cannot reliably detect a 5ms processing delay caused by a specific database query or a conditional branch in your code.

The research presented at DEF CON 2024 introduces a "single-packet attack" (SPA) that effectively eliminates network jitter. By utilizing HTTP/2’s ability to multiplex multiple requests over a single connection, an attacker can bundle requests into a single TCP packet. Because these requests arrive at the server simultaneously, they are processed by the same thread pool or event loop under identical network conditions. This synchronization allows for microsecond-level precision, turning previously "impossible" timing differences into clear, actionable data.

Practical Exploitation: From Discovery to Bypass

This methodology is not just a theoretical exercise; it is a practical toolkit for modern web assessments. The most immediate application is parameter discovery. Many applications have hidden endpoints or debug parameters that are only accessible if you know the exact key. Using Param Miner, a researcher can now brute-force these parameters with unprecedented speed and accuracy. Because the SPA technique is so precise, you no longer need to send thousands of requests to get a statistically significant result. A handful of requests is often enough to confirm the existence of a parameter that changes the server's execution path.

Beyond discovery, this technique is lethal against OWASP A05:2021 – Security Misconfiguration. Many reverse proxies and WAFs are configured to block requests that look like standard injection attempts. However, these security layers often fail to account for timing side-channels. By using the SPA technique, you can probe for SQL Injection or other server-side vulnerabilities by observing how the server handles specific payloads, even if the WAF is actively stripping or modifying the request body.

Implementing the Single-Packet Attack

To get started, you need to look at the Turbo Intruder extension for Burp Suite. The core of the attack involves disabling TCP_NODELAY and carefully crafting your request frames. The goal is to withhold the final byte of your request body, sending a ping frame to keep the connection alive, and then releasing the final bytes of all requests simultaneously.

# Conceptual snippet for a single-packet timing probe
def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=1)
    
    # Withhold the final byte to force the server to wait
    # Send the ping frame to synchronize the execution
    engine.queue(target.req, gate='race')
    
    # Release the gate to trigger simultaneous processing
    engine.openGate('race')

This approach forces the server to process the requests in a way that minimizes the impact of internal server-side noise, such as caching or thread scheduling. If you are testing a target that uses a reverse proxy, you can also use this to perform "scoped-SSRF." By guessing internal hostnames and observing the timing of the proxy's response, you can map out internal staging environments or admin consoles that are not exposed to the public internet.

Defensive Considerations

Defending against these attacks requires a shift in how we think about server-side performance. If your application’s response time is a side-channel, then the only way to secure it is to ensure that all code paths take the same amount of time to execute, regardless of the input. This is notoriously difficult to implement correctly.

A more practical defense is to introduce artificial, randomized delays into your application’s response logic. By adding a small, non-deterministic sleep interval to your sensitive endpoints, you can inject enough noise to make high-precision timing attacks statistically impossible. Additionally, ensure that your reverse proxies and WAFs are not leaking information through error messages or connection resets that vary based on the request content.

The era of ignoring timing attacks because they are "too difficult" is over. With tools like Turbo Intruder and the SPA methodology, the barrier to entry has been lowered significantly. Whether you are hunting for bugs in a private program or conducting a formal penetration test, these techniques provide a new lens through which to view the target. Start by auditing your own applications for timing leaks, and then apply these methods to your next engagement. The whispers are there; you just need to learn how to listen.