<!DOCTYPE html> <html> <head> <title>Timing Attacks</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="shortcut icon" type="image/png" href="/public/img/favicon.ico"> <link href="/public/css/authlab.css" rel="stylesheet" type="text/css" /> <meta property="og:title" content="Authentication Lab - DigiNinja" /> <meta property="og:description" content="A set of authentication challenges covering a range of different technologies." /> <meta property="og:image" content="https://digi.ninja/graphics/twittercards/authlab_twittercard.png" /> <meta property="og:type" content="website" /> <meta property="og:sitename" content="DigiNinja" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:title" content="Authentication Lab - DigiNinja" /> <meta name="twitter:description" content="A set of authentication challenges covering a range of different technologies." /> <meta name="twitter:site" content="@digininja" /> <meta name="twitter:creator" content="@digininja" /> <meta name="twitter:domain" content="authlab.digi.ninja" /> <meta name="twitter:site" content="@digininja" /> <meta name="twitter:image" content="https://digi.ninja/graphics/twittercards/authlab_twittercard.png" /> </head> <body> <h1>Timing Attacks</h1> <p> A good login system does not disclose whether it is the username or password that is wrong when a login fails, but sometimes the information is leaked through a side-channel. One approach is to monitor the time taken for the request to be processed, if the application does additional processing when a valid username is provided, the extra time taken may be noticeable. The implementation of this login form is not the best so you should be able to see a difference between a correct username and an incorrect one. </p> <p> There are four valid usernames, all of which can be found in the following name list - <a href="/public/wordlists/usernames.txt">Usernames</a>. </p> <p> <strong>There are no correct passwords, the login will always fail, you are only trying to find usernames.</strong> </p> <p> If you get stuck, or want more information, see my <a href="https://digi.ninja/projects/authlab.php#landtimingattacks">walkthrough</a>. </p> <h2>Clocking In</h2> <form method="post" action="/Timing_Login"> <label for="username">Username</label> <input type="text" id="username" name="username" value="" autofocus /><br /> <label for="password">Password</label> <input type="password" id="password" name="password" value="" /><br /> <input type="submit" value="Login" /> </form> <p> <a href="/">Back to home</a> </p> <hr /> <p> Lab created by Robin Wood - <a href="https://digi.ninja">DigiNinja</a> </p> </body> </html>