RubyGems - timing_attack - Versions diffs - 0.5.0 → 0.5.1 - Mend

timing_attack 0.5.0 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5287eec2e908eee5eb488df3f54f34331db4657e
-  data.tar.gz: 411d19b42241bd668205812445bae18139bb8292
+  metadata.gz: 3fd67bcf5ff8a36acd3bbaeada7e307985a07b3b
+  data.tar.gz: b9f7fdce31779f1e273adaa8d471af631b25d54f
 SHA512:
-  metadata.gz: 494cc10f5f13d3fc1057c8b697cfa5ab3a66f1982f08d8178105729ec0c3feb672510408a53c426ad719197d1cbc2d81f79b5420cda67ae2bdb54818540d6470
-  data.tar.gz: d89c6979cb2cb61cd73bafaec6d5d5e0304a87e65e09ceec332dd0623d49e2384d22ba80fa81f6ff5912bd26f0abc0e9c7caad727ad6a70cf7a8dfd7940b0964
+  metadata.gz: 4d44502e88a51e759503ac98b9ab318330cdfa27cd2d163789c83c5f062b430688c80b7f0d0fcb72fe0499cf01f76ce606d522b6d3ff6dfc01fb6c10ba0f2b09
+  data.tar.gz: 2fb6deeb33595604a0447efa4d95818638ccaefab25fdc58d241ca9708015c976299333e08c46d4a4ac78033629250d0f566126f3f46a376a69e6825d77ebd39

data/README.md CHANGED Viewed

@@ -17,15 +17,17 @@ If you need a known-vulnerable application for testing and/or development, see
 ```
 timing_attack [options] -u <target> <inputs>
-    -u, --url URL                    URL of endpoint to profile
+    -u, --url URL                    URL of endpoint to profile.  'INPUT' will be replaced with the attack string
     -n, --number NUM                 Requests per input (default: 50)
     -c, --concurrency NUM            Number of concurrent requests (default: 15)
     -t, --threshold NUM              Minimum threshold, in seconds, for meaningfulness (default: 0.025)
     -p, --post                       Use POST, not GET
     -q, --quiet                      Quiet mode (don't display progress bars)
-        --brute_force                Brute force mode
+    -b, --brute-force                Brute force mode
         --parameters STR             JSON hash of parameters.  'INPUT' will be replaced with the attack string
         --body STR                   JSON of body paramets to be sent to Typhoeus.  'INPUT' will be replaced with the attack string
+        --http-username STR          HTTP basic authentication username.  'INPUT' will be replaced with the attack string
+        --http-password STR          HTTP basic authentication password.  'INPUT' will be replaced with the attack string
         --percentile NUM             Use NUMth percentile for calculations (default: 3)
         --mean                       Use mean for calculations
         --median                     Use median for calculations
@@ -75,11 +77,23 @@ attack due to an early return in string comparison.  We can attack it with
 ```bash
 timing_attack -u http://localhost:3000/timing/string_comparison \
               --parameters '{"password":"INPUT"}' \
-              --brute_force
+              --brute-force
 ```
 This will attempt a brute-force timing attack against against the `password`
 parameter.
+### Specifying inputs
+The URL itself (`--url`), URL parameters (`--parameters`), and the HTTP body
+(`--body`) can all contain the string `INPUT`.  `INPUT` will be replaced with
+the current attack string, whether it is specified on the command line (as in
+enumeration mode), or generated by timing_attack (as in brute force mode).
+To perform a timing attack against HTTP basic authentication, `--http-username`
+and `--http-password` can be specified.  `INPUT` will be replaced with the
+current attack string as above.
+The `--parameters` and `--body` options must be specified in JSON format.
 ## How it works
 The various inputs are each thrown at the endpoint `--number` times.  The

data/exe/timing_attack CHANGED Viewed

@@ -19,7 +19,9 @@ class TimingAttackCli
     @opt_parser ||= OptionParser.new do |opts|
       opts.program_name = File.basename(__FILE__)
       opts.banner = "#{opts.program_name} [options] -u <target> <inputs>"
-      opts.on("-u URL", "--url URL", "URL of endpoint to profile") { |str| options[:url] = str }
+      opts.on("-u URL", "--url URL", "URL of endpoint to profile.  'INPUT' will be replaced with the attack string") do |str|
+        options[:url] = str
+      end
       opts.on("-n NUM", "--number NUM", "Requests per input (default: 50)") do |num|
         options[:iterations] = num.to_i
       end

data/lib/timing_attack/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module TimingAttack
-  VERSION = "0.5.0"
+  VERSION = "0.5.1"
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: timing_attack
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.5.1
 platform: ruby
 authors:
 - Forrest Fleming