Timing Attacks Anti-Pattern
Severity: Medium
Summary
Attackers measure operation timing to extract secrets. Early-exit comparisons leak information: comparing ABCDEF to ABCDEG takes longer than ABCDEF to XBCDEF (more matching characters before mismatch). These timing differences enable character-by-character secret recovery.
The Anti-Pattern
The anti-pattern is comparison functions returning early upon finding differences in sensitive values (passwords, tokens, hashes).
BAD Code Example
# VULNERABLE: String comparison leaking timing information.
def insecure_compare(s1, s2):
# Exits on first mismatch (early exit).
# First character mismatch returns quickly.
# Last character mismatch takes longer.
if len(s1) != len(s2):
return False
for i in range(len(s1)):
if s1[i] != s2[i]:
return False # Early exit leaks timing.
return True
SECRET_TOKEN = "abcdef123456"
@app.route("/check_token")
def check_token():
provided_token = request.args.get("token")
if insecure_compare(provided_token, SECRET_TOKEN):
return "Token valid!"
return "Token invalid!"
# Attack: Measure response times to discover secret character-by-character.
# token=X -> fast (first char wrong)
# token=a -> slower (first char matches)
# token=ab -> even slower (two chars match)
GOOD Code Example
# SECURE: Constant-time comparison prevents timing leaks.
import hmac
import secrets
def secure_compare(s1_bytes, s2_bytes):
# `hmac.compare_digest` performs constant-time comparison.
# Execution time depends only on length, not values.
# Always compares all bytes.
return hmac.compare_digest(s1_bytes, s2_bytes)
SECRET_TOKEN = secrets.token_bytes(16) # Secure 128-bit token.
@app.route("/check_token_secure")
def check_token_secure():
provided_token_hex = request.args.get("token")
try:
provided_token_bytes = bytes.fromhex(provided_token_hex)
except ValueError:
return "Token invalid!", 400
# Length check handled safely by compare_digest.
if len(provided_token_bytes) != len(SECRET_TOKEN):
return "Token invalid!", 400
if secure_compare(provided_token_bytes, SECRET_TOKEN):
return "Token valid!"
return "Token invalid!"
Detection
- Review code for secret comparisons: Look for any place in the code where sensitive values (passwords, API keys, session tokens, cryptographic hashes, HMAC signatures) are compared.
- Identify standard equality operators: Search for
==or===being used for comparing secrets. These operators are typically not constant-time. - Look for custom comparison loops: If a custom loop iterates through characters and returns
Falseon the first mismatch, it's vulnerable.
Prevention
- Use constant-time comparison for secrets: Never use standard equality operators for sensitive values.
- Know constant-time functions:
- Python:
hmac.compare_digest()orsecrets.compare_digest() - Node.js:
crypto.timingSafeEqual() - Go:
subtle.ConstantTimeCompare() - Java:
MessageDigest.isEqual()(byte arrays) - PHP:
hash_equals()
- Python:
- Use password library verification: Libraries like bcrypt/argon2 provide timing-safe verification (
bcrypt.checkpw(),argon2.verify()). - Verify equal lengths: Constant-time functions handle length mismatches safely, but pre-checking improves clarity.
Related Security Patterns & Anti-Patterns
- Weak Password Hashing Anti-Pattern: Proper password hashing (e.g., bcrypt) includes protection against timing attacks during verification.
- JWT Misuse Anti-Pattern: Signature verification of JWTs should use constant-time comparisons.
- Padding Oracle Anti-Pattern: Another type of cryptographic timing issue where information about padding validity is leaked through timing.
References
- OWASP Top 10 A04:2025 - Cryptographic Failures
- OWASP GenAI LLM10:2025 - Unbounded Consumption
- OWASP API Security API2:2023 - Broken Authentication
- OWASP Testing for Timing Attacks
- CWE-208: Observable Timing Discrepancy
- CAPEC-462: Cross-Domain Search Timing
- BlueKrypt - Cryptographic Key Length Recommendation
- Source: sec-context