homepage
Open menu
Talk with an expert

Time is on your side: username harvesting via timing attacks

  • Wednesday, 10 Aug 2016 1:00PM EDT (10 Aug 2016 17:00 UTC)
  • Speaker: Eric Conrad

You are faced with a seemingly well-designed authentication form: it returns the same error for good username/bad password and bad username/bad password, and it also uses a slow hash algorithm such as bcrypt. Username guessing should be impossible, and password cracking impractical. Many penetration testers will move on: what do you do?

This webcast will describe a practical approach for using timing attacks to harvest valid usernames, including a live demo using Burp Suite.

Login to Register

Related Content

Blog
HackFest_blog_image.png
Offensive Operations, Pen Testing, and Red Teaming, Open-Source Intelligence (OSINT), Penetration Testing and Red Teaming
A Visual Summary of SANS HackFest Summit
Check out these graphic recordings created in real-time throughout the event for SANS HackFest Summit 2023
370x370-person-placeholder.png
Alison Kim
read more
Blog
Offensive Operations, Pen Testing, and Red Teaming, Penetration Testing and Red Teaming
SEC670 Prep Quiz Answers
Answers for the SEC670 Prep Quiz. For more details about the course and the quiz, please clickthrough to see the quiz article.
370x370_jonathan-reiter.jpg
Jonathan Reiter
read more
Blog
Offensive Operations, Pen Testing, and Red Teaming, Penetration Testing and Red Teaming
Take The Prerequisite SEC670 Quiz
This ten question quiz will help you in determining if you are ready to take SEC670.
370x370_jonathan-reiter.jpg
Jonathan Reiter
read more