I'm trying to recreate a Timing Attack with Node.js for training purpose.
I think I'm doing something wrong, because I was expecting other results.
I've created a simple and basic Node app:
const express = require('express');
const app = express();
const PORT = 3000;
app.get('/', (req, res) => {
const password = 'cbfa'
const input = req.query.input
console.log(password, input)
setTimeout(() => {
res.set('Connection', 'close')
if(password === input) {
res.send('ok')
} else {
res.send('no')
}
}, 3000)
})
app.listen(PORT, (error) =>{
if(!error)
console.log('App is listening on port ' + PORT)
else
console.log('Error occurred', error)
}
)
When hitting http://localhost:3001/, it looks for an input parameter and compare it with the password, in this case 'cbfa'.
I've also created a curl-format.txt that shows the URL being called and the time total:
url: %{url}\n
time_total: %{time_total}\n
--------------------------------------------\n
and a urls.txt that contains the URL to be called:
url = "http://localhost:3000?input=aaaa"
url = "http://localhost:3000?input=bbbb"
url = "http://localhost:3000?input=cccc"
url = "http://localhost:3000?input=dddd"
With the app running, I run this:
curl --parallel --parallel-max 4 --config urls.txt -v -o /dev/null -s -w "@curl-format.txt"
Being the password 'cbfa', I was expecting the URL with ?input=cccc to take more time than the other, but this is the result:
url: http://localhost:3000?input=aaaa
time_total: 3.036737
--------------------------------------------
url: http://localhost:3000?input=bbbb
time_total: 3.055791
--------------------------------------------
url: http://localhost:3000?input=cccc
time_total: 3.056294
--------------------------------------------
url: http://localhost:3000?input=dddd
time_total: 3.070444
--------------------------------------------
What am I missing? What am I doing wrong?
Many thanks
