Static Web Server Basic Authentication Timing-Based Username Enumeration Vulnerability

A timing-based username enumeration vulnerability has been identified in Static Web Server (SWS) versions 2.1.0 prior to 2.40.1. This vulnerability allows attackers to enumerate valid usernames in Basic Authentication by exploiting the server's response times. SWS checks usernames before passwords, leading to a delay for valid usernames due to the bcrypt hashing process, while invalid usernames receive an immediate 401 response. This discrepancy can be measured and used to identify valid accounts, potentially facilitating targeted brute-force or credential-stuffing attacks.

Impact

Exploitation of this vulnerability allows for timing-based enumeration of usernames, which could be used to identify valid accounts for subsequent brute-force or credential-stuffing attacks.

Reproduction

The vulnerability can be reproduced by sending authentication requests with both valid and invalid usernames. Invalid usernames will receive an immediate 401 response, while valid usernames will experience a delayed response due to the time taken for password verification. This difference in response times can be measured and used to infer the validity of usernames.

Remediation

Users can upgrade to Static Web Server version 2.41.0 or later to address this vulnerability.