[{"_1":2,"_28":-5,"_29":-5},"loaderData",{"_3":4},"routes/challenges.$slug",{"_5":6},"challenge",{"_7":8,"_9":10,"_11":12,"_13":14,"_15":16,"_17":18,"_19":20,"_21":22,"_23":24,"_25":26},"slug","sidesign","name","SideSign","category","Web Security","description","SCENARIO A file download service that gates access behind a signature check. The flag is sitting at /flag , and the only thing standing between you and it is producing the correct signature. No source code is given. Figure out how the verification works and find a way to recover the signature. Flag format: flag{} Infrastructure - Docker Container — HTTP on port 5000 Provided Files - None (BlackBox Challenge)","descriptionHtml","

SCENARIO

A file download service that gates access behind a signature check. The flag is sitting at /flag
, and the only thing standing between you and it is producing the correct signature.

No source code is given. Figure out how the verification works and find a way to recover the signature.

Flag format: flag{}

Infrastructure

- Docker Container — HTTP on port 5000

Provided Files

- None (BlackBox Challenge)

","labDetails","Prerequisites & Requirements Basic familiarity with web applications and how query parameters are used in HTTP requests Basic understanding of HMAC and SHA256 and what a valid signature looks like Understanding of why constant-time comparisons matter in cryptographic implementations Basic understanding of timing attacks and how response time can leak information What will you learn? How non-constant-time string comparisons leak information through measurable timing differences How to recover a secret value byte by byte using statistical timing analysis How to build an exploit script that automates timing measurements and averages out noise to identify correct candidates Why cryptographic comparisons must be constant-time and what real-world impact a missing safeguard can have Tools Python for writing and running the timing attack script against the target endpoint Burp Suite for observing response times and inspecting requests during manual testing","labDetailsHtml","

Prerequisites & Requirements

Basic familiarity with web applications and how query parameters are used in HTTP requests
Basic understanding of HMAC and SHA256 and what a valid signature looks like
Understanding of why constant-time comparisons matter in cryptographic implementations
Basic understanding of timing attacks and how response time can leak information

What will you learn?

How non-constant-time string comparisons leak information through measurable timing differences
How to recover a secret value byte by byte using statistical timing analysis
How to build an exploit script that automates timing measurements and averages out noise to identify correct candidates
Why cryptographic comparisons must be constant-time and what real-world impact a missing safeguard can have

Tools

Python for writing and running the timing attack script against the target endpoint
Burp Suite for observing response times and inspecting requests during manual testing

","level","Medium","tags",[],"jobPositions",[27],"Penetration Tester","actionData","errors"]

SideSign

Overview

SCENARIO

Infrastructure

Provided Files

Job Positions

Tags