In order to do that, they started from the CRIME premise that knowing that a compressed payload -- in this case a HTTP response -- is smaller in size than another one is enough to guess the characters that make up the targeted information.
However, in order to determine this the attacker doesn't need to actually know the response sizes, Be'ery said. They can simply compare the time it takes for different responses to reach the user's browser. Smaller responses will travel faster.
The Imperva researchers dubbed the new attack TIME, which stands for "Timing Info-leak Made Easy," and will present it on Thursday at the Black Hat Europe 2013 security conference in Amsterdam.
In order to account for any network interference that could skew the timing, the researchers developed a statistical analysis algorithm that requires for the same server response to be received multiple times.
Depending on the case, this can be five times, 10 times, 20 times or more, Be'ery said. This means that the TIME attack is easier to execute than CRIME, because it doesn't require network eavesdropping, but is slower because it requires a larger number of requests to be sent.
In their presentation at Black Hat Europe the researchers will also discuss possible mitigation techniques for the attack. Those include implementing cross-site request forgery (CSRF) protection, making sure the Web application doesn't accept unknown parameters or deploying anti-automation measures that would detect and block an unusually large number of requests from the same user.