Business Logic / Process Timing

Description

Process Timing is a Business Logic vulnerability which occurs in web and API applications and is classified in the CWE directory as CWE-770. This type of vulnerability occurs when the application does not properly manage the length of time that it takes to process a request, which can result in a denial of service attack or the execution of unintended code. Process timing attacks can be used to exhaust system resources, causing systems to become slow or unresponsive. This type of attack could also be used to gain access to sensitive information or bypass authentication measures.

Risk

Process Timing attacks can cause significant disruption to a system and its users. The impact of this vulnerability ranges from minor inconvenience to severe data loss. The user data stored in the application could be exposed, resulting in a data breach. Furthermore, the application could become completely unresponsive, leading to an outage and disruption of services.

Solution

The best solution to prevent Process Timing attacks is to set a maximum allowed time for the processing of each request. This will limit the amount of time an attacker can spend trying to exhaust system resources or gain access to sensitive information. Additionally, it is important to apply rate limiting or throttling to limit the number of requests that can be sent to the application within a certain time period.

Example

This example code is taken from the CVE directory. It is a denial-of-service (DoS) vulnerability in the web application due to a timing attack.

if (time_elapsed > MAX_TIME) {
    //time limit exceeded
    return false;
}