-
One of the bounty teams is trying a timing attack based on small differences in computation (in this case, the difference between the DB returning 1 or 0 rows, and the subsequent processing delay in t…
-
Description
===========
Some components in librdkafka use `strcmp` to validate a password, signature or key, which is vulnerable to timing attacks that make brute force attacks for such credentials …
-
Unable to login using the `HTTP_PASSWORD_HASH` environment variable after generating a hash using the recommended method here: https://github.com/joeferner/redis-commander#generate-bcrypted-password-…
-
return password == "password" is vulnerable to timing attacks. Something like https://github.com/PeterScott/streql should be used to prevent them.
I can make a PR if you want.
-
The AES implementation should probably be swapped out for a constant-time implementation
Confirmed by one of the authors of the AES code: https://twitter.com/pbarreto/status/532950080761131008
-
return digestHexCache;
}
public boolean digestEquals(byte[] otherDigest) {
return Arrays.equals(digest, otherDigest);
An attacker can guess the secret value of digest b…
-
### Is your feature request related to a problem? Please describe.
In at least the SQL Injection (40018) and OS Command Injection (90020) plugins, there are definitive attack/response detections an…
-
tl;dr - Using a pretty simple scheme, `getStatus` can be modified to be allow auditing by clients, allowing them to detect partitioning or attempts to reveal the final transaction data in a way that t…
-
Replace `===` with `crypto.subtle.timingSafeEqual` in https://github.com/Sh4yy/cloudflare-email/blob/main/src/middlewares/auth.ts#L16 to prevent timing attacks.
Example: https://developers.cloudfla…
-
The Timing Attacks section launches straight in with cryptography as a place where timing attacks are used, possibly leading to the conclusion that cryptography is the _only_ place where timing attack…