[
https://issues.apache.org/jira/browse/OAK-7506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16487024#comment-16487024
]
Alex Deparvu commented on OAK-7506:
-----------------------------------
proposed patch
https://github.com/apache/jackrabbit-oak/compare/trunk...stillalex:user-enumeration-timing-attack
Current state (for 100 consecutive logins) puts a non-exiting user at 20%
duration, so the attack is pretty easy to see:
- existing user 140 ms vs non-existing 30 ms
Proposed patch brings the 2 numbers pretty close (even non-existing slower than
existing for some
- existing user 155 ms vs non-existing 134 ms
> Prevent user enumeration by exploiting time delay vulnerability
> ---------------------------------------------------------------
>
> Key: OAK-7506
> URL: https://issues.apache.org/jira/browse/OAK-7506
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: security
> Reporter: Alex Deparvu
> Assignee: Alex Deparvu
> Priority: Minor
> Fix For: 1.10
>
>
> Pasting here the improvement request: "If the server response is different
> for existing and not existing usernames, the attacker is able to enumerate
> valid usernames with guessing attacks. He is thereby able to focus his
> password guessing attacks to the existing accounts."
> The fix for this particular issue seems trivial, at the cost of making the
> login operation slower in the case the user doesn't actually exist.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
