Skip to main content

Password comparison timing attack tester

Project description

penterepTools

PTPASSTIME - Password Timing Attack Tester

ptpasstime tests whether a login endpoint compares passwords in constant time. If response time grows with the number of matching prefix characters, the endpoint is vulnerable to timing attacks.

How it works

Non-constant-time comparison (password == input) stops at the first mismatch:

Attempt Example password Response time
all_wrong XXXXXXXXXXXXXXXX fastest
first_wrong XorrectPassword medium
last_wrong correctPassworX slowest

The tool sends each attempt -n times and uses the median response time. If first_wrong or last_wrong exceeds all_wrong by a configurable threshold, the endpoint is reported as vulnerable.

Optional --brute-force mode recovers the password character-by-character by picking the candidate with the longest median response time at each position.

Installation

pip install ptpasstime

Test server

A vulnerable Flask app is included for local testing:

pip install -r test_server/requirements.txt
python test_server/vulnerable_app.py

Endpoints:

  • POST /login/vulnerable — early-exit comparison (vulnerable)
  • POST /login/securehmac.compare_digest (safe)

Default credentials: admin / correctPassword

Usage examples

Detection mode:

ptpasstime -u http://127.0.0.1:5000/login/vulnerable \
  -d 'username=admin&password=INJECT' -p correctPassword -n 15

Brute-force recovery:

ptpasstime -u http://127.0.0.1:5000/login/vulnerable \
  -d 'username=admin&password=INJECT' -p correctPassword --brute-force -n 5

Raw request file:

ptpasstime -f login.txt -p correctPassword -n 10

Options

-u  --url                 <url>            Login endpoint URL
-d  --data                <post-data>      POST body with INJECT placeholder
-f  --request-file        <file|base64>    Raw HTTP request (alternative to -d)
-p  --password            <password>       Reference password (length + validation)
-n  --repeat              <n>              Repetitions per attempt (default 10)
    --brute-force                          Character-by-character recovery mode
    --placeholder         <text>           Password placeholder (default INJECT)
    --threshold-percent   <pct>            Relative threshold % (default 15)
    --threshold-ms        <ms>             Absolute threshold in ms (default 1)
    --charset             <chars>          Charset for brute-force mode
    --wrong-char          <char>           Padding character (default X)
    --proxy               <proxy>          Proxy (e.g. http://127.0.0.1:8080)
-T  --timeout                              Request timeout (default 10)
-c  --cookie              <cookie>         Cookie header
-a  --user-agent          <a>              User-Agent header
-H  --headers             <header:value>   Custom headers
-r  --redirects                            Follow redirects
-j  --json                                 JSON output
-v  --version                              Show version
-h  --help                                 Show help

Dependencies

ptlibs

License

Copyright (c) 2026 Penterep Security s.r.o.

ptpasstime is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

Warning

You are only allowed to run the tool against websites you have permission to test. Penterep is not responsible for any illegal or malicious use of this code. Be ethical!

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ptpasstime-0.0.2.tar.gz (23.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ptpasstime-0.0.2-py3-none-any.whl (23.2 kB view details)

Uploaded Python 3

File details

Details for the file ptpasstime-0.0.2.tar.gz.

File metadata

  • Download URL: ptpasstime-0.0.2.tar.gz
  • Upload date:
  • Size: 23.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.13

File hashes

Hashes for ptpasstime-0.0.2.tar.gz
Algorithm Hash digest
SHA256 975026aea96e325a8076ee5f210122caa30cf9aa72aae4ecf59cb905e12bf854
MD5 9365f715d1eaf37b9172117aa515b981
BLAKE2b-256 5554ed520a614e3c57a1d2effeb7922e4dace517d0cd083f8a1662ec240e6aa0

See more details on using hashes here.

File details

Details for the file ptpasstime-0.0.2-py3-none-any.whl.

File metadata

  • Download URL: ptpasstime-0.0.2-py3-none-any.whl
  • Upload date:
  • Size: 23.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.13

File hashes

Hashes for ptpasstime-0.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 723f854f64d98a95ad8dff4d2b1b79d96853383a137169305ae113fa25818da6
MD5 176472e35cad92f78733b464a7a3931d
BLAKE2b-256 1d40029ed474bc8e2a90053ddd1477b0de9fa26c4b05a85f404ee1ccb8b9fd46

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page