potential to brute force basic auth credentials #37
Labels
bug
Something isn't working
Comments
till
added a commit
to hostwithquantum/auth-gateway
that referenced
this issue
Apr 26, 2024
till
added a commit
to hostwithquantum/auth-gateway
that referenced
this issue
Apr 26, 2024
Related: cortexproject#37 Signed-off-by: till <till@php.net>
till
added a commit
to hostwithquantum/auth-gateway
that referenced
this issue
Apr 26, 2024
Related: cortexproject#37 Signed-off-by: till <till@php.net>
friedrichg
added a commit
that referenced
this issue
Jun 9, 2024
* Fix(auth): use crypto/subtle to compare strings Related: #37 Signed-off-by: till <till@php.net> * Remove empty line --------- Signed-off-by: till <till@php.net> Co-authored-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>
|
@friedrichg Okay to close? |
friedrichg
added a commit
that referenced
this issue
Jun 10, 2024
* Fix(auth): use crypto/subtle to compare strings Related: #37 Signed-off-by: till <till@php.net> * Update(gateway): support passthrough For: #36 Signed-off-by: till <till@php.net> * Update gateway/middleware.go --------- Signed-off-by: till <till@php.net> Co-authored-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
(I'm not a professional pentester or security researcher.)
I think the basic authentication credentials in auth-gateway have the potential to be leaked/brute forced with timing attacks.
The mitigation is to use a
[]byte()and e.g. ConstantTimeCompare to not disclose the time it took to compare the two inputs.The text was updated successfully, but these errors were encountered: