hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update TimingAttackAgainstHeader.qhelp

Browse Source
This commit is contained in:
ahmed532009
2022-02-10 19:10:48 +01:00
committed by Chris Smowton
parent ab6a7bb3d8
commit bf95e59b24
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.qhelp
View File

@@ -3,9 +3,9 @@
<overview>
<p>
A constant-time algorithm should be used for checking the value of headers.
A constant-time algorithm should be used for checking the value of sensitive headers.
In other words, the comparison time should not depend on the content of the input.
An attacker may be able to forge the value of the header.
Otherwise timing information could be used to infer the header's expected, secret value.
</p>
</overview>
@@ -19,7 +19,7 @@ and does not depend on the contents of the arrays.
</recommendation>
<example>
<p>
The following example uses <code>Arrays.equals()</code> method for validating a csrf token .
The following example uses <code>Arrays.equals()</code> method for validating a csrf token.
This method implements a non-constant-time algorithm.
Both the message and the signature come from an untrusted HTTP request:
</p>