🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Timing Attack

A timing attack is a side-channel vulnerability where an adversary gains information by measuring differences in the time an application takes to perform operations. For example, an application may respond faster when a username is invalid, but take longer when the username is valid and only the password is incorrect (due to password hash calculation or additional database lookups). By precisely measuring these discrepancies, an attacker can enumerate valid usernames or infer secret values such as cryptographic keys.

Remediation

  • Use constant-time or atomic operations for all security-sensitive comparisons (e.g., authentication, cryptographic checks).
  • Replace standard string or byte comparisons with constant-time functions that do not short-circuit on mismatches.
  • Introduce uniform response times for authentication endpoints, independent of input validity.
  • For cryptographic operations, use well-vetted libraries that already implement constant-time algorithms.

Metadata

  • Severity: medium
  • Slug: timing-attack

CWEs

  • 208: Observable Timing Discrepancy

OWASP

  • A04:2021: Insecure Design

Available Labs

Open Javascript labs in SecDim Play for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.