PW100¶

Matching inputs, secrets or tokens using the == operator is vulnerable to timing attacks.

Example¶

if password == "SUPER_SECRET": 
  proceed()

if password == hash:
  proceed()

Quick Fixes¶

Plugin will recommend Compare Digest Fixer.

See Also¶

Developer security best practices: protecting against timing attacks

Fork me on GitHub