github/bettercap
1
0
Fork 0
mirror of https://github.com/bettercap/bettercap synced 2025-07-07 05:22:04 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

new: disabling api.rest authentication if username or password are empty

Browse source
This commit is contained in:
evilsocket 2018-08-29 16:00:17 +03:00
parent 3b6ea499dd
commit f9656e1d1d
No known key found for this signature in database
GPG key ID: 1564D7F30393A456
2 changed files with 10 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

4
modules/api_rest.go
View file

@ -50,12 +50,12 @@ func NewRestAPI(s *session.Session) *RestAPI {
api.AddParam(session.NewStringParameter("api.rest.username",
"",
".+",
"",
"API authentication username."))
api.AddParam(session.NewStringParameter("api.rest.password",
"",
".+",
"",
"API authentication password."))
api.AddParam(session.NewStringParameter("api.rest.certificate",

14
modules/api_rest_controller.go
View file

@ -43,12 +43,14 @@ func toJSON(w http.ResponseWriter, o interface{}) {
}
func (api *RestAPI) checkAuth(r *http.Request) bool {
user, pass, _ := r.BasicAuth()
// timing attack my ass
if subtle.ConstantTimeCompare([]byte(user), []byte(api.username)) != 1 {
return false
} else if subtle.ConstantTimeCompare([]byte(pass), []byte(api.password)) != 1 {
return false
if api.username != "" && api.password != "" {
user, pass, _ := r.BasicAuth()
// timing attack my ass
if subtle.ConstantTimeCompare([]byte(user), []byte(api.username)) != 1 {
return false
} else if subtle.ConstantTimeCompare([]byte(pass), []byte(api.password)) != 1 {
return false
}
}
return true
}