-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
potential to brute force basic auth credentials #37
Labels
bug
Something isn't working
Comments
till
added a commit
to hostwithquantum/auth-gateway
that referenced
this issue
Apr 26, 2024
till
added a commit
to hostwithquantum/auth-gateway
that referenced
this issue
Apr 26, 2024
Related: cortexproject#37 Signed-off-by: till <till@php.net>
till
added a commit
to hostwithquantum/auth-gateway
that referenced
this issue
Apr 26, 2024
Related: cortexproject#37 Signed-off-by: till <till@php.net>
friedrichg
added a commit
that referenced
this issue
Jun 9, 2024
* Fix(auth): use crypto/subtle to compare strings Related: #37 Signed-off-by: till <till@php.net> * Remove empty line --------- Signed-off-by: till <till@php.net> Co-authored-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>
@friedrichg Okay to close? |
friedrichg
added a commit
that referenced
this issue
Jun 10, 2024
* Fix(auth): use crypto/subtle to compare strings Related: #37 Signed-off-by: till <till@php.net> * Update(gateway): support passthrough For: #36 Signed-off-by: till <till@php.net> * Update gateway/middleware.go --------- Signed-off-by: till <till@php.net> Co-authored-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
(I'm not a professional pentester or security researcher.)
I think the basic authentication credentials in auth-gateway have the potential to be leaked/brute forced with timing attacks.
The mitigation is to use a
[]byte()
and e.g. ConstantTimeCompare to not disclose the time it took to compare the two inputs.The text was updated successfully, but these errors were encountered: