Created
July 22, 2015 11:15
-
-
Save Addvilz/aebef1637cf8d3da8b70 to your computer and use it in GitHub Desktop.
Exploiting auth system without feedback to determine username presence
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var inputUsername | |
| var inputPassword | |
| user = retrieve from storage with matching inputUsername | |
| if user not exists | |
| return 'No matching user' | |
| if user.password not match hash(inputPassword) | |
| return 'No matching user' | |
| How is this exploitable (rude example): | |
| existing user: 2 sec (db read 0.5 sec + hash algo 1.5 sec) | |
| nonexisting user: 0.5 sec (db read 0.5 sec) | |
| if response takes 0.5 sec | |
| user does not exist | |
| if response takes 2 sec | |
| user does exist, try guess password |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment