Observable timing discrepancy

Description

String comparisons using '===', '!==', '!=' and '==' are vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/

Examples

Insecure Code

if (password == userInput) { ... }

Secure Code

const crypto = require('crypto'); if (crypto.timingSafeEqual(password, userInput)) { ... }

Remediation

Use a constant-time comparison function to prevent timing attacks.

Rule Details

Field	Value
ID	CODE-0355
Category	Crypto
Severity	MEDIUM
CWE	CWE-208
Confidence	HIGH
Impact	MEDIUM
Likelihood	MEDIUM
Exploitability	EASY
Tags	timing attack, string comparison
OWASP	A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures

---