Scala : Timing attack

Classification

OWASP Top 10 2013

A6-Sensitive Data Exposure

OWASP Top 10 2017

A3-Sensitive Data Exposure

OWASP Top 10 2021

A2-Cryptographic Failures

CWE

CWE-1032

Overview

The method of string comparison is used that does not protect against timing attacks.

Common methods of string comparison terminate the operation after handling the first non-equal pair of characters. Thus, the operating time of the method depends on the length of the matching prefixes. An attacker can use this information to compromise valuable data. When working with the valuable data, such as encryption keys, secure methods of comparison must be used.

References

A Lesson In Timing Attacks - codahale.com
constantTimeEquals - playframework.com
OWASP Top 10 2017-A3-Sensitive Data Exposure
CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration

CRITICAL

Scala : Timing attack

Classification

Overview

References

DerScanner Severity Score

Do you want to fix Scala : Timing attack in your application?

See also

Scala : Unreleased resource stream

Scala : Multiple loggers in same class

Scala : Insufficient encryption key length