Remote Timing Attacks On PHP Applications
January 5, 2011 § 1 Comment
Example of the addressed issues ..
At first look, this seems like an impossible task but in reality it doesn’t take much thinking to realise how many web applications likely treat existing and non-existing usernames differently during a login attempt. Differing treatment may lead to clues about the validity of any username in a few ways:
1. The website might reveal that the username does/does not exist via an error message or more subtle response elements (e.g. slight markup differences).
2. The client might be redirected to different URLs depending on whether the username exists or not.
3. An attacker might measure the response time difference between processing a login with an invalid username versus one with a known valid username.
For more info visit the owner of this post http://blog.astrumfutura.com