Mehran's Boring Blog

daily so-called-technical experiences

Mehran's Boring Blog

daily so-called-technical experiences

I found myself publishing things, which may or may not be taken seriously.

Subject Categories

Latest Comments

Recent Posts

۱ مطلب با کلمه‌ی کلیدی «writeup» ثبت شده است

So, here's the PHP file in charge of authentication: See how line 12 is a conditional time-consuming statement. That may be (ab)used to launch a side channel attack: The amount of time a request takes to get processed is relative to the length of matched key prefix.
We may iterate over different characters until we observe significant (~200ms) increase in response time. That means we have that prefix matched, and we may continue to the remaining part.
Let's exploit it then:
Notes in the code:

  • You MUST use keep-alive to reuse the TCP connection for different requests, so that the network latency effect (which may be pretty random in case of TCP handshakes) is minimized
  • I've sent multiple requests to avoid random network glitches resulting in outcome-fuckery
۰ comment Uppers ۰ Downers ۰ 23 March 14 ، 03:01
Mehran