Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Request and Response Timings in proxy history and site map

Jackson | Last updated: Oct 11, 2022 07:23PM UTC

OWASP ZAP shows the RTT in the request history which makes it very easy to manually test and spot potential timing based attacks. I know these timings can been tested / seen in the repeater and intruder... but knowing which requests are worth sending to repeater/intruder is the harder part and could be made easier by showing these timings in the proxy history and site map. While total transaction duration is sort of the minimum information required, it would be even better would be to optionally have columns for all of the sub-timings the same way the browser developer tools do. For example, you could have optional columns for each of the phases from the HTTP Archive web performance group (or at least key phases like "TTFB/waiting duration"). https://github.com/w3c/web-performance/ https://www.w3.org/webperf/

Jackson | Last updated: Oct 11, 2022 07:29PM UTC

It should be noted that what OWASP ZAP calls "RTT" is really "the length of time the whole request took" (https://www.zaproxy.org/docs/desktop/ui/tabs/history/#:~:text=The%20length%20of%20time%20the%20whole%20request%20took) as opposed to the actual ping latency. This is usually good enough but *also* being able to see the TTFB would be better because that is the phase where the effect of most timing attacks is actually observed.

Hannah, PortSwigger Agent | Last updated: Oct 12, 2022 02:29PM UTC

Thanks for the feedback! We've added your +1 to our ongoing feature requests to implement this behavior. This will help us prioritize this work in the future.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.