Skip to main content

Use of indistinguishable response time

Requirement#

Response time of authentication probes should be indistinguishable whether an user exists or not.

References#

  • CWE-203: Observable Discrepancy: The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not

  • CWE-204: Observable Response Discrepancy: The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

  • CWE-208: Observable Timing Discrepancy: Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.