In 2007 SensePost presented a paper at BlackHat USA that introduced new techniques and applications to aid in executing timing attacks against web applications. The attack vectors were broad, and included SQL injection timing attacks as well as client-side browser attacks. With the increased attention shown to timing issues, we believe an increase in the number of timing vulnerabilities will be observed in the wild, and this paper brought timing attacks squarely into the web application space.