Description

An attacker may infer sensitive information by observing differences in response times, exposing internal data such as tokens, credentials, or validation states.

Impact

- Infer tokens, passwords, hashes, or API keys character by character. - Determine whether a user, token, or resource exists in the system. - Optimize brute-force attacks by significantly reducing the search space. - Bypass authentication or authorization mechanisms.

Recommendation

- Use constant-time comparisons for sensitive data (e.g., MessageDigest.isEqual in Java). - Avoid error messages or behaviors that vary depending on the point of failure. - Introduce uniform response times whenever possible.

Threat

External users with internet access to the application.

Expected Remediation Time

⏱️ 3600 minutes.

Requirements

Fixes