5
28%
develop: 28%

Ran 06 Oct 2017 11:08AM UTC

Files 20

Run time 0s

Badge

Embed ▾

Committed 06 Oct 2017 11:02AM UTC coverage: 93.923% (+0.009%) from 93.914%

Job # REQUIREMENTS=lowest

Build Type

push

travis-ci

Committed by Jiri Kuncar

Commit Message

Fix timing attack on login form

As detailed in #357 the time it takes to process a login request is
considerably less if the user specified doesn't exist than if the
password is incorrect. This can be used as a user enumeration attack,
even if the login error messages were customized to avoid this.

I fixed it by increasing the response time of a non-existing user
request by hashing the given password anyway (if using good
password hashing algorithm this is what takes a relatively
large amount of time and makes the attack possibly).

closes #357

Run Details

1360 of 1448 relevant lines covered (93.92%)

0.94 hits per line

mattupstate / flask-security / 874 / 5
28%
develop: 28%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 874.5 (REQUIREMENTS=lowest)

mattupstate / flask-security / 874 / 5 28% develop: 28%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 874.5 (REQUIREMENTS=lowest)

mattupstate / flask-security / 874 / 5
28%
develop: 28%

README BADGES
x