Skip to main content

Hey Java folks,

today I want to explain a possible flaw in your webapp. The technique itself, is independent of a specific framework. Its a more general pattern on how people can get a list of users in your database.
One more thing before I start: It has to do with too much code optimization.

### Ok lets start
Image you have a login form with username and password. If someone hits the login button, you do a lookup on the username. Now if the database query returns a result, you normally encrypt / hash the password the user entered and compare it to the hash stored in your database (given that you do encryption, which you SHOULD do!).

### So where is the flaw now?
What happens if you don´t find a user? As a good programmer, you wouldn´t encrypt the entered password because it basically makes no sense as the user was not found BUT THIS is the problem.Because you don´t encrypt the password, the response to the client is way faster and so the client knows that the user does not exist.What he can do now is to brute force your login form with random usernames and nonsense passwords and gather the response times. As soon as there are response peaks the hacker would know, that the username exists. BAM!

### How can we solve it?
In such scenarios I basically always encrypt the password and do a database lookup with username and the encrypted password. This way I also don´t have to extra check if the password hashes match.

**Problem solved!**
**What do you think about it? Have you encountered something similar? Drop a line!

so long,

Daniel Sachse

Author Daniel Sachse

More posts by Daniel Sachse