Description

Detects observable timing discrepancy vulnerabilities in Spring Java applications where non-constant-time comparison methods are used with user-controlled input. This issue occurs when attackers can measure differences in execution time to infer sensitive information, such as authentication tokens or secrets, potentially leading to information disclosure or authentication bypass.

Detection Strategy

• Check if the spring package is imported or referenced in the Java source code

• Identify calls to non-constant-time comparison methods such as String.equals() or Object.equals()

• Inspect whether these methods are used with user-controlled input

• Determine if the comparison is performed in a way that exposes timing differences

• Report a vulnerability when user-controlled input is compared using non-constant-time methods

Vulnerable code example

private static final String SECRET_TOKEN = "SuperSecretToken123";

@GetMapping("/token/vulnerable")
public String tokenValidation(@RequestHeader("X-API-TOKEN") String token) {
    // Vulnerable: execution time varies based on matching characters
    if (SECRET_TOKEN.equals(token)) {
        return "Access granted";
    }...

✅ Secure code example

private static final String SECRET_TOKEN = "SuperSecretToken123";

@GetMapping("/token/secure")
public String secureTokenValidation(@RequestHeader("X-API-TOKEN") String token) {
    // Safe: constant-time comparison prevents timing attacks
    if (MessageDigest.isEqual(
            SECRET_TOKEN.getBytes(),
            token.getBytes())) {...