Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

igbuend/timing-attacks-anti-pattern

Name: timing-attacks-anti-pattern
Author: igbuend

skills/timing-attacks-anti-pattern/SKILL.md

npx skillsauth add igbuend/grimbard timing-attacks-anti-pattern

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Timing Attacks Anti-Pattern

Severity: Medium

Summary

Attackers measure operation timing to extract secrets. Early-exit comparisons leak information: comparing ABCDEF to ABCDEG takes longer than ABCDEF to XBCDEF (more matching characters before mismatch). These timing differences enable character-by-character secret recovery.

The Anti-Pattern

The anti-pattern is comparison functions returning early upon finding differences in sensitive values (passwords, tokens, hashes).

BAD Code Example

# VULNERABLE: String comparison leaking timing information.

def insecure_compare(s1, s2):
    # Exits on first mismatch (early exit).
    # First character mismatch returns quickly.
    # Last character mismatch takes longer.
    if len(s1) != len(s2):
        return False
    for i in range(len(s1)):
        if s1[i] != s2[i]:
            return False # Early exit leaks timing.
    return True

SECRET_TOKEN = "abcdef123456"

@app.route("/check_token")
def check_token():
    provided_token = request.args.get("token")
    if insecure_compare(provided_token, SECRET_TOKEN):
        return "Token valid!"
    return "Token invalid!"

# Attack: Measure response times to discover secret character-by-character.
# token=X -> fast (first char wrong)
# token=a -> slower (first char matches)
# token=ab -> even slower (two chars match)

GOOD Code Example

# SECURE: Constant-time comparison prevents timing leaks.
import hmac
import secrets

def secure_compare(s1_bytes, s2_bytes):
    # `hmac.compare_digest` performs constant-time comparison.
    # Execution time depends only on length, not values.
    # Always compares all bytes.
    return hmac.compare_digest(s1_bytes, s2_bytes)

SECRET_TOKEN = secrets.token_bytes(16) # Secure 128-bit token.

@app.route("/check_token_secure")
def check_token_secure():
    provided_token_hex = request.args.get("token")
    try:
        provided_token_bytes = bytes.fromhex(provided_token_hex)
    except ValueError:
        return "Token invalid!", 400

    # Length check handled safely by compare_digest.
    if len(provided_token_bytes) != len(SECRET_TOKEN):
        return "Token invalid!", 400

    if secure_compare(provided_token_bytes, SECRET_TOKEN):
        return "Token valid!"
    return "Token invalid!"

Detection

Review code for secret comparisons: Look for any place in the code where sensitive values (passwords, API keys, session tokens, cryptographic hashes, HMAC signatures) are compared.
Identify standard equality operators: Search for == or === being used for comparing secrets. These operators are typically not constant-time.
Look for custom comparison loops: If a custom loop iterates through characters and returns False on the first mismatch, it's vulnerable.

Prevention

[ ] Use constant-time comparison for secrets: Never use standard equality operators for sensitive values.
[ ] Know constant-time functions:
- Python: hmac.compare_digest() or secrets.compare_digest()
- Node.js: crypto.timingSafeEqual()
- Go: subtle.ConstantTimeCompare()
- Java: MessageDigest.isEqual() (byte arrays)
- PHP: hash_equals()
[ ] Use password library verification: Libraries like bcrypt/argon2 provide timing-safe verification (bcrypt.checkpw(), argon2.verify()).
[ ] Verify equal lengths: Constant-time functions handle length mismatches safely, but pre-checking improves clarity.

Related Security Patterns & Anti-Patterns

Weak Password Hashing Anti-Pattern: Proper password hashing (e.g., bcrypt) includes protection against timing attacks during verification.
JWT Misuse Anti-Pattern: Signature verification of JWTs should use constant-time comparisons.
Padding Oracle Anti-Pattern: Another type of cryptographic timing issue where information about padding validity is leaked through timing.

References

OWASP Top 10 A04:2025 - Cryptographic Failures
OWASP GenAI LLM10:2025 - Unbounded Consumption
OWASP API Security API2:2023 - Broken Authentication
OWASP Testing for Timing Attacks
CWE-208: Observable Timing Discrepancy
CAPEC-462: Cross-Domain Search Timing
BlueKrypt - Cryptographic Key Length Recommendation
Source: sec-context

igbuend/timing-attacks-anti-pattern

skills/timing-attacks-anti-pattern/SKILL.md

Security anti-pattern for timing side-channel vulnerabilities (CWE-208). Use when generating or reviewing code that compares secrets, tokens, passwords, or cryptographic values. Detects early-exit comparisons that leak information through timing differences.

4 stars

development

Updated Apr 5, 2026

$ install --global

skillsauth

npx skillsauth add igbuend/grimbard timing-attacks-anti-pattern

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 5, 2026, 8:20 PM17.0s1 file scanned

SKILL.md

name:: timing-attacks-anti-pattern
description:: Security anti-pattern for timing side-channel vulnerabilities (CWE-208). Use when generating or reviewing code that compares secrets, tokens, passwords, or cryptographic values. Detects early-exit comparisons that leak information through timing differences.

Timing Attacks Anti-Pattern

Severity: Medium

Summary

The Anti-Pattern

The anti-pattern is comparison functions returning early upon finding differences in sensitive values (passwords, tokens, hashes).

BAD Code Example

# VULNERABLE: String comparison leaking timing information.

def insecure_compare(s1, s2):
    # Exits on first mismatch (early exit).
    # First character mismatch returns quickly.
    # Last character mismatch takes longer.
    if len(s1) != len(s2):
        return False
    for i in range(len(s1)):
        if s1[i] != s2[i]:
            return False # Early exit leaks timing.
    return True

SECRET_TOKEN = "abcdef123456"

@app.route("/check_token")
def check_token():
    provided_token = request.args.get("token")
    if insecure_compare(provided_token, SECRET_TOKEN):
        return "Token valid!"
    return "Token invalid!"

# Attack: Measure response times to discover secret character-by-character.
# token=X -> fast (first char wrong)
# token=a -> slower (first char matches)
# token=ab -> even slower (two chars match)

GOOD Code Example

# SECURE: Constant-time comparison prevents timing leaks.
import hmac
import secrets

def secure_compare(s1_bytes, s2_bytes):
    # `hmac.compare_digest` performs constant-time comparison.
    # Execution time depends only on length, not values.
    # Always compares all bytes.
    return hmac.compare_digest(s1_bytes, s2_bytes)

SECRET_TOKEN = secrets.token_bytes(16) # Secure 128-bit token.

@app.route("/check_token_secure")
def check_token_secure():
    provided_token_hex = request.args.get("token")
    try:
        provided_token_bytes = bytes.fromhex(provided_token_hex)
    except ValueError:
        return "Token invalid!", 400

    # Length check handled safely by compare_digest.
    if len(provided_token_bytes) != len(SECRET_TOKEN):
        return "Token invalid!", 400

    if secure_compare(provided_token_bytes, SECRET_TOKEN):
        return "Token valid!"
    return "Token invalid!"

Detection

Review code for secret comparisons: Look for any place in the code where sensitive values (passwords, API keys, session tokens, cryptographic hashes, HMAC signatures) are compared.
Identify standard equality operators: Search for == or === being used for comparing secrets. These operators are typically not constant-time.
Look for custom comparison loops: If a custom loop iterates through characters and returns False on the first mismatch, it's vulnerable.

Prevention

[ ] Use constant-time comparison for secrets: Never use standard equality operators for sensitive values.
[ ] Know constant-time functions:
- Python: hmac.compare_digest() or secrets.compare_digest()
- Node.js: crypto.timingSafeEqual()
- Go: subtle.ConstantTimeCompare()
- Java: MessageDigest.isEqual() (byte arrays)
- PHP: hash_equals()
[ ] Use password library verification: Libraries like bcrypt/argon2 provide timing-safe verification (bcrypt.checkpw(), argon2.verify()).
[ ] Verify equal lengths: Constant-time functions handle length mismatches safely, but pre-checking improves clarity.

Related Security Patterns & Anti-Patterns

Weak Password Hashing Anti-Pattern: Proper password hashing (e.g., bcrypt) includes protection against timing attacks during verification.
JWT Misuse Anti-Pattern: Signature verification of JWTs should use constant-time comparisons.
Padding Oracle Anti-Pattern: Another type of cryptographic timing issue where information about padding validity is leaked through timing.

References

OWASP Top 10 A04:2025 - Cryptographic Failures
OWASP GenAI LLM10:2025 - Unbounded Consumption
OWASP API Security API2:2023 - Broken Authentication
OWASP Testing for Timing Attacks
CWE-208: Observable Timing Discrepancy
CAPEC-462: Cross-Domain Search Timing
BlueKrypt - Cryptographic Key Length Recommendation
Source: sec-context

Related Skills

igbuend/xss-anti-pattern

development

VerifiedTrustedCommunity

Security anti-pattern for Cross-Site Scripting vulnerabilities (CWE-79). Use when generating or reviewing code that renders HTML, handles user input in web pages, uses innerHTML/document.write, or builds dynamic web content. Covers Reflected, Stored, and DOM-based XSS. AI code has 86% XSS failure rate.

4SKILL.mdUpdated Apr 5, 2026

igbuend/xss-anti-pattern

igbuend/xpath-injection-anti-pattern

development

VerifiedTrustedCommunity

Security anti-pattern for XPath injection vulnerabilities (CWE-643). Use when generating or reviewing code that queries XML documents, constructs XPath expressions, or handles user input in XML operations. Detects unescaped quotes and special characters in XPath queries.

4SKILL.mdUpdated Apr 5, 2026

igbuend/xpath-injection-anti-pattern

igbuend/weak-password-hashing-anti-pattern

development

VerifiedTrustedCommunity

Security anti-pattern for weak password hashing (CWE-327, CWE-759). Use when generating or reviewing code that stores or verifies user passwords. Detects use of MD5, SHA1, SHA256 without salt, or missing password hashing entirely. Recommends bcrypt, Argon2, or scrypt.

4SKILL.mdUpdated Apr 5, 2026

igbuend/weak-password-hashing-anti-pattern

igbuend/weak-encryption-anti-pattern

development

VerifiedTrustedCommunity

Security anti-pattern for weak encryption (CWE-326, CWE-327). Use when generating or reviewing code that encrypts data, handles encryption keys, or uses cryptographic modes. Detects DES, ECB mode, static IVs, and custom crypto implementations.

4SKILL.mdUpdated Apr 5, 2026

igbuend/weak-encryption-anti-pattern

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/igbuend/grimbard.git

# Copy into Claude Code skills folder (global)
cp -r grimbard/skills/timing-attacks-anti-pattern ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

igbuend/grimbard

4 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT