Amazon Q
Detector Library
JavaScript detectors (78/78)
Improper access controlSensitive data stored unencrypted due to partial encryptionPseudorandom number generatorsOS command injectionURL redirection to untrusted siteInteger overflowProtection mechanism failureNon-literal regular expressionTainted input for Docker APIUsage of an API that is not recommendedXML external entityServer-side request forgeryNew function detectedStack trace exposureTiming attackSNS don't bind subscribe and publishInvoke super appropriatelyNoSQL injectionHardcoded credentialsInsecure cookieCross-site scriptingHardcoded IP addressAWS credentials loggedXPath injectionData loss in a batch requestPath traversalLeast privilege violationDNS prefetchingResource leakInsufficiently protected credentialsFile extension validationInsecure connection using unencrypted protocolCross-site request forgeryTypeof expressionSet SNS Return Subscription ARNFile and directory information exposureMissing Amazon S3 bucket owner conditionInsecure hashingNumeric truncation errorClient-side KMS reencryptionAWS client not reused in a Lambda functionLDAP injectionBatch request with unchecked failuresCryptographic key generatorUnauthenticated Amazon SNS unsubscribe requests might succeedUnverified hostnameOrigins-verified cross-origin communicationsLoose file permissionsUnsanitized input is run as codeMissing paginationUntrusted Amazon Machine ImagesImproper certificate validationInsecure CORS policyDeserialization of untrusted objectSensitive information leakCheck failed records when using kinesisWeak obfuscation of web requestsCatch and swallow exceptionLogging of sensitive informationLimit request lengthString passed to `setInterval` or `setTimeout`Log injectionOverride of reserved variable names in a Lambda functionImproper restriction of rendered UI layers or framesInsecure cryptographyInsecure object attribute modificationSession fixationAvoid nan in comparisonImproper input validationDisabled HTML autoescapeUse of a deprecated methodUnvalidated expansion of archive filesFile injectionSendfile injectionSQL injectionHeader injectionInsecure temporary file or directoryInefficient polling of AWS resource
Timing attack High
Operators like == and === are not time-safe and can make your application vulnerable to a timing attack, which might enable attackers to infer security-sensitive information.
Detector ID
javascript/timing-attack@v1.0
Category
Common Weakness Enumeration (CWE) 
Tags
Noncompliant example
1var express = require('express')
2var app = express()
3
4function timingAttackNoncompliant() {
5 app.get('/user/login', function (req, res) {
6 // Noncompliant: '===' operator is used with sensitive data field.
7 if(password === "myPass") {
8 logIn()
9 }
10 })
11}
Compliant example
1var express = require('express')
2var app = express()
3var compare = require('secure-compare')
4
5function timingAttackCompliant() {
6 app.get('/user/login', function (req, res) {
7 // Compliant: sensitive data field is compared using 'secure-compare'.
8 if(compare(password, "myPass")) {
9 logIn()
10 }
11 })
12}