Time is on your side: username harvesting via timing attacks

  • Webcast Aired Wednesday, 10 Aug 2016 1:00PM EDT (10 Aug 2016 17:00 UTC)
  • Speaker: Eric Conrad

You are faced with a seemingly well-designed authentication form: it returns the same error for good username/bad password and bad username/bad password, and it also uses a slow hash algorithm such as bcrypt. Username guessing should be impossible, and password cracking impractical. Many penetration testers will move on: what do you do?

This webcast will describe a practical approach for using timing attacks to harvest valid usernames, including a live demo using Burp Suite.