Timing Attacks

A good login system does not disclose whether it is the username or password that is wrong when a login fails, but sometimes the information is leaked through a side-channel. One approach is to monitor the time taken for the request to be processed, if the application does additional processing when a valid username is provided, the extra time taken may be noticeable. The implementation of this login form is not the best so you should be able to see a difference between a correct username and an incorrect one.

There are four valid usernames, all of which can be found in the following two name lists - Boys Girls.

There are no correct passwords, the login will always fail, you are only trying to find usernames.

Clocking In

Back to home