Skip to content

bjh7242/httptimer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 

Repository files navigation

httptimer

Execute Timing Attacks on Web Applications

Prerequisites

Python requests module

$ pip install requests

How To Run

To view the required arguments, run the following command.

$ python -h httptimer.py

The following options must be specified:

  • Target URL
  • Number of requests to send (per guess)
  • Message that displays on the page when there is a failed login
  • The username to use when logging in
  • The characterset to use
  • The variable names of the input fields in the HTML form for the username and password field (POST request username and password fields, defaults to 'username' and 'password')

Additionally, a known correct password can be specified (--poc-password). The timing attack will run until each character matches the known password. If a character does not match, the test will restart from the first character.

To determine the correct parameter names for the request as well as the error message from invalid credentials, view the source of the page you are targeting (and then view the source of the page that displays the error message).

Sample Execution

$ python httptimer.py --url http://localhost:3000/login -n 2000 -F 'Invalid username/password combination' -u test --poc-password 'abc'

About

Execute Timing Attacks on Web Applications

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages