The frequent and highly dynamic client-server communication that is characteristic of modern web applications leaves them vulnerable to side-channel leaks where an adversary can learn about the state of the application and visitor's choices, even over encrypted connections.
We have developed a black-box tool for detecting side-channel vulnerabilities by analyzing network traffic over repeated crawls of a web application. Our tool quantifies the severity of side-channel leaks in a web application, and gives web application developers a measure of the risk of information leakage against different types of adversaries.
A key innovation of the approach is developing better metrics for measuring the risk associated with a side-channel vulnerability. Our metric, based on the Fisher criterion, provides better insight into how well an attacker could distinguish states in the web application based on collected traces than traditional entropy-based metrics.
Peter Chapman and David Evans. Automated Black-Box Detection of Side-Channel Vulnerabilities in Web Applications. In 18th ACM Conference on Computer and Communications Security (CCS 2011), Chicago, IL. 17-21 October 2011. [PDF, 12 pages]