software composition analysis
Product
SAST
Catch vulnerabilities as you develop DAST
Test live web applications like an attacker SCA
Secure open-source and supply chain MAST
Secure mobile apps from code to store Compliance
Align with standards while shipping secure code
Resources
Vulnerability database Healthy Package
Blog News
Documentation
Pricing Partners About Us Log In
software composition analysis

Python : Timing attack

Classification

OWASP Top 10 2013 A6-Sensitive Data Exposure OWASP Top 10 2017 A3-Sensitive Data Exposure OWASP Top 10 2021 A2-Cryptographic Failures CWE CWE-1032

Overview

The method of string comparison is used that does not protect against timing attacks.

Common methods of string comparison terminate the operation after handling the first non-equal pair of characters. Thus, the operating time of the method depends on the length of the matching prefixes. An attacker can use this information to compromise valuable data. When working with the valuable data, such as encryption keys, secure methods of comparison must be used.

References

  1. A Lesson In Timing Attacks - codahale.com
  2. constantTimeEquals - playframework.com
  3. OWASP Top 10 2017-A3-Sensitive Data Exposure
  4. CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration

See also

Python : Cookie: broad domain
Python : Obsolete construct
Python : HMAC using weak hashing algorithm