Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Timing attack test for OAuth 1 provider #74

Closed
ib-lundgren opened this issue Nov 16, 2012 · 1 comment
Closed

Timing attack test for OAuth 1 provider #74

ib-lundgren opened this issue Nov 16, 2012 · 1 comment
Labels
Feature

Comments

@ib-lundgren
Copy link
Collaborator

Timing attacks are used to reveal secrets using statistical sampling in large quantities and could in worst case reveal secret keys.

It would be really awesome to have a test that could be used against OAuthLibs verify_request to ensure it does not introduce variance in execution time between different requests in a way that would allow user enumeration or secret key guessing.

A large bonus if this could easily be imported by developers implementing oauth providers and ran against their setup.
@ib-lundgren
Copy link
Collaborator Author

This will be more valuable in the OAuth 2 audit test suite I am occasionally working on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ib-lundgren