It is possible to enumerate users registered in PwnDoc (tested on 0.5.3 - 2022-07-19 and previous versions) observing the web server response timing.
For example, let's suppose these users were registered on PwnDoc:
By performing a brute force dictionary attack, a defined list of users can be provided via login POST request to detect the server's response time.
All the valid users can be discovered by a potential attacker checking if the response time to the login request is long. For not-existing users we can see a shorter response time.
The attack success depends higly on the stability of the server and the Internet connection between hosts. In any case, in order to apply a remediation, it is advisable to add a timing delay to balance the response timing for each login request.
