Observable Timing Discrepancy

ID

java.observable_timing_discrepancy

Severity

high

Resource

Information Leak

Language

Java

Tags

CWE:208, NIST.SP.800-53

Description

Observable Timing Discrepancy occurs when the time it takes for certain operations to complete can be measured and observed by attackers.

Rationale

When conducting plaintext password comparisons, there’s a risk that an attacker could discern the password’s value by observing the timing of comparisons. This is because the comparison takes less time as fewer bytes match.

import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.UUID;
import org.apache.logging.log4j.util.Strings;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class DummyController {

  private final String password = "secret!";

  @PostMapping("/dummy")
  @ResponseBody
  public boolean isRoot(@RequestParam String username, @RequestParam String password) {
    if (Strings.isEmpty(username) || Strings.isEmpty(password)) {
      return false;
    }

    return username.equals("root") && password.equals(this.password); // FLAW
  }
}

Remediation

To remediate issues related to plaintext storage of passwords, implement the following practices:

  1. Use Secure Hashing Algorithms: Store passwords using a strong, one-way hashing algorithm combined with a salt to protect against dictionary and rainbow table attacks.

  2. Leverage Strong Cryptography: When passwords must be stored for validation, use a combination of hashing and salting. Ensure the algorithms used are well-regarded and up-to-date with industry standards (e.g., PBKDF2, bcrypt, scrypt).

  3. Protect Access to Passwords: Ensure access to stored hashed passwords and salts is tightly controlled using access controls and encryption.

Following these practices will significantly enhance the security of password storage in your applications, reducing the risk of unauthorized access.

References

  • CWE-208 : Observable Timing Discrepancy