Miggo Logo

CVE-2016-10535: Timing Attack in csrf-lite

4.3

CVSS Score

Basic Information

EPSS Score
0.54157%
Published
2/18/2019
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:P/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
csrf-litenpm< 0.1.20.1.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The security patch shows the vulnerable code was in the validation function where CSRF tokens were compared using === operator. The function was renamed from csrf.valid to csrf.validate() in the patch, but both point to the same validation logic. This is the exact location where attackers could exploit timing differences in string comparison. The commit replaces the vulnerable comparison with scmp's constant-time comparison, confirming this was the attack surface.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `*sr*-lit*` *r* vuln*r**l* to timin* *tt**ks *s * r*sult o* t*stin* *SR* tok*ns vi* * **il-**rly *omp*rison inst*** o* * *onst*nt-tim* *omp*rison. Timin* *tt**ks r*mov* t** *xpon*nti*l in*r**s* in *ntropy **in** *rom in*r**s**

Reasoning

T** s**urity p*t** s*ows t** vuln*r**l* *o** w*s in t** v*li**tion *un*tion w**r* *SR* tok*ns w*r* *omp*r** usin* === op*r*tor. T** *un*tion w*s r*n*m** *rom `*sr*.v*li*` to `*sr*.v*li**t*()` in t** p*t**, *ut *ot* point to t** s*m* v*li**tion lo*i*.