It is possible to enumerate users registered in PwnDoc (tested on 0.5.3 - 2022-07-19 and previous versions) observing the web server response timing.
For example, let's suppose these users were registered on PwnDoc:
By performing a brute force dictionary attack, a defined list of users can be provided via login POST request to detect the server's response time.
All the valid users can be discovered by a potential attacker checking if the response time to the login request is long. For not-existing users we can see a shorter response time.
The attack success depends higly on the stability of the server and the Internet connection between hosts. In any case, in order to apply a remediation, it is advisable to add a timing delay to balance the response timing for each login request.
Let me know if I can help you in any way so, once fixed I would like to get a CVE from mtre.org
The text was updated successfully, but these errors were encountered:
Astaruf
changed the title
Username enumeration via response timing
(Vulnerability) Username enumeration via response timing
Oct 27, 2022
In the future, I would advise following the newly created security policy as publicly disclosing a vulnerability with a full proof on concept without contacting the project maintainers, providing a PR with a solution and/or using the GitHub private disclosure feature is not the most responsible way to go about it.
That being said, thank you for caring about the security of PwnDoc.
It is possible to enumerate users registered in PwnDoc (tested on 0.5.3 - 2022-07-19 and previous versions) observing the web server response timing.
For example, let's suppose these users were registered on PwnDoc:
By performing a brute force dictionary attack, a defined list of users can be provided via login POST request to detect the server's response time.
All the valid users can be discovered by a potential attacker checking if the response time to the login request is long. For not-existing users we can see a shorter response time.
The attack success depends higly on the stability of the server and the Internet connection between hosts. In any case, in order to apply a remediation, it is advisable to add a timing delay to balance the response timing for each login request.
Let me know if I can help you in any way so, once fixed I would like to get a CVE from mtre.org
The text was updated successfully, but these errors were encountered: