+2 votes
Hello,

all the bola-x verifiers have no noticeable difference in timing for the /authenticate endpoint between sending an existing username and a non-existing username, regardless of sending a wrong password, not sending a password, etc...

The script I wrote calling the endpoints and aggregating the timings multiple times shows only minimal differences and even these are different in every run. From these numbers, I cannot conclude which verifier is the answer to the question.

Could you maybe clarify what we should do for solving the task?

Thanks.

Best,
Moritz
in ex11 by (180 points)
edit history
0
+1
Tried everything with the hinted endpoint, result inconclusive. If you are able to find the difference from your end, then could you help with an additional hint?

Thanks!

2 Answers

+1 vote
Best answer
We also validated this on our end and could not produce the intended timing difference. The subtask is likely not solvable, so we will exclude it from the total grade.
ago by (2.2k points)
selected ago by
edit history
0 votes
If the question is about the profit margin of the shop. I solved it. It took me alot of tries and time and was solved via bruno. One hint i can give is that u need a apecific token with spefic bola-number. U cannot use a normal token for bola based urls. That was the breakthrough for me. I am also sure that bola-1 token will not work for bola-2. Or something like that.
ago by (140 points)
edit history