Mehran's Boring Blog

daily so-called-technical experiences

Mehran's Boring Blog

daily so-called-technical experiences

I found myself publishing things, which may or may not be taken seriously.

Subject Categories

Sunday, 23 March 2014، 03:01 AM

۰

backdoorCTF 2014 - web200 writeup

Sunday, 23 March 2014، 03:01 AM

So, here's the PHP file in charge of authentication: See how line 12 is a conditional time-consuming statement. That may be (ab)used to launch a side channel attack: The amount of time a request takes to get processed is relative to the length of matched key prefix.
We may iterate over different characters until we observe significant (~200ms) increase in response time. That means we have that prefix matched, and we may continue to the remaining part.
Let's exploit it then:
Notes in the code:

  • You MUST use keep-alive to reuse the TCP connection for different requests, so that the network latency effect (which may be pretty random in case of TCP handshakes) is minimized
  • I've sent multiple requests to avoid random network glitches resulting in outcome-fuckery

Comments (۰)

No Comments Yet

Leave Comment

ارسال نظر آزاد است، اما اگر قبلا در بیان ثبت نام کرده اید می توانید ابتدا وارد شوید.
شما میتوانید از این تگهای html استفاده کنید:
<b> یا <strong>، <em> یا <i>، <u>، <strike> یا <s>، <sup>، <sub>، <blockquote>، <code>، <pre>، <hr>، <br>، <p>، <a href="" title="">، <span style="">، <div align="">
تجدید کد امنیتی