Remote Timing Attacks On PHP Applications

January 5, 2011 § 1 Comment

Example of the addressed issues ..

At first look, this seems like an impossible task but in reality it doesn’t take much thinking to realise how many web applications likely treat existing and non-existing usernames differently during a login attempt. Differing treatment may lead to clues about the validity of any username in a few ways:

1. The website might reveal that the username does/does not exist via an error message or more subtle response elements (e.g. slight markup differences).
2. The client might be redirected to different URLs depending on whether the username exists or not.
3. An attacker might measure the response time difference between processing a login with an invalid username versus one with a known valid username.

For more info visit the owner of this post http://blog.astrumfutura.com

Advertisements

Tagged:

§ One Response to Remote Timing Attacks On PHP Applications

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

What’s this?

You are currently reading Remote Timing Attacks On PHP Applications at ARP's Web Blog.

meta

%d bloggers like this: