Time is on your side: username harvesting via timing attacks

Wednesday, 10 Aug 2016 1:00PM EDT (10 Aug 2016 17:00 UTC)
Speaker: Eric Conrad

You are faced with a seemingly well-designed authentication form: it returns the same error for good username/bad password and bad username/bad password, and it also uses a slow hash algorithm such as bcrypt. Username guessing should be impossible, and password cracking impractical. Many penetration testers will move on: what do you do?

This webcast will describe a practical approach for using timing attacks to harvest valid usernames, including a live demo using Burp Suite.

Login to Register

Related Content

Security Awareness, Cybersecurity Leadership, Cloud Security, Open-Source Intelligence (OSINT), Industrial Control Systems Security, Digital Forensics, Incident Response & Threat Hunting, Cybersecurity and IT Essentials, Cyber Defense, Offensive Operations, Pen Testing, and Red Teaming, CyberLive, Workforce Development, Career Development, Why Certify, Imposter Syndrome, NetWars, Mentorship, Job Hunting, Operating System & Device In-Depth, Artificial Intelligence (AI)

A Visual Summary of SANS New2Cyber Summit 2024

Check out these graphic recordings created in real-time throughout the event for SANS New2Cyber Summit 2024

Offensive Operations, Pen Testing, and Red Teaming, Open-Source Intelligence (OSINT), Penetration Testing and Red Teaming

November 16, 2023

A Visual Summary of SANS HackFest Summit

Check out these graphic recordings created in real-time throughout the event for SANS HackFest Summit 2023

Offensive Operations, Pen Testing, and Red Teaming, Penetration Testing and Red Teaming

October 4, 2023

SEC670 Prep Quiz Answers

Answers for the SEC670 Prep Quiz. For more details about the course and the quiz, please clickthrough to see the quiz article.

Jonathan Reiter