6
28%
develop: 28%

Ran 06 Oct 2017 11:09AM UTC

Files 20

Run time 0s

Badge

Embed ▾

Committed 06 Oct 2017 11:02AM UTC coverage: 93.646% (+0.008%) from 93.638%

Job # REQUIREMENTS=release

Build Type

push

travis-ci

Committed by Jiri Kuncar

Commit Message

Fix timing attack on login form

As detailed in #357 the time it takes to process a login request is
considerably less if the user specified doesn't exist than if the
password is incorrect. This can be used as a user enumeration attack,
even if the login error messages were customized to avoid this.

I fixed it by increasing the response time of a non-existing user
request by hashing the given password anyway (if using good
password hashing algorithm this is what takes a relatively
large amount of time and makes the attack possibly).

closes #357

Run Details

1356 of 1448 relevant lines covered (93.65%)

0.94 hits per line

mattupstate / flask-security / 874 / 6
28%
develop: 28%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 874.6 (REQUIREMENTS=release)

mattupstate / flask-security / 874 / 6 28% develop: 28%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 874.6 (REQUIREMENTS=release)

mattupstate / flask-security / 874 / 6
28%
develop: 28%

README BADGES
x