Tags: rsa oaep timing-attack oracle
- [Manger's attack](https://www.iacr.org/archive/crypto2001/21390229.pdf) on RSA OAEP decryption oracle.
- Use timings to distinguish ciphertexts (path traversal bug in the label parameter lets us choose a large label which makes timing differences more obvious). It helps to use a machine in the same datacenter as the server.
- Most of the heavy lifting is already done: https://github.com/kudelskisecurity/go-manger-attack
> It helps to use a machine in the same datacenter as the server.
One can also leverage the X-Response-Time header added by the "response-time" express middleware to get a more precise timer: