DerScanner
Home / Vulnerability Database / Ruby : Timing attack
Ruby

Ruby : Timing attack

Classification

OWASP Top 10 2013
A6-Sensitive Data Exposure
OWASP Top 10 2017
A3-Sensitive Data Exposure
OWASP Top 10 2021
A2-Cryptographic Failures
CWE
CWE-1032

Overview

The method of string comparison is used that does not protect against timing attacks.

Common methods of string comparison terminate the operation after handling the first non-equal pair of characters. Thus, the operating time of the method depends on the length of the matching prefixes. An attacker can use this information to compromise valuable data. When working with the valuable data, such as encryption keys, secure methods of comparison must be used.

In Ruby on Rails for secure string comparison use secure_compare or implement your own method. Typical idea of secure comparison: compute XOR for each pair of elements of the two arrays and return true if the resulting vector consists of zeros. This comparison takes the same amount of time regardless of the values of the arguments.

Also exists gem with a fast C implementation.

References

  1. A Lesson In Timing Attacks - codahale.com
  2. constantTimeEquals - playframework.com
  3. OWASP Top 10 2017-A3-Sensitive Data Exposure
  4. CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
CRITICAL

DerScanner Severity Score

Do you want to fix Ruby : Timing attack in your application?

See also

Ruby

Ruby : Weak hashing algorithm

Ruby

Ruby : Empty encryption key

Ruby

Ruby : Hardcoded sensitive data