User Enumeration

If it takes longer to check a correct username and an incorrect password, a clever attacker will be able to spot the difference.

Code vulnerable to a timing attack

   app.post('/login', (request, response) => {
  const user = getUser(request.params.username)

  // The function returns early if the username is incorrect.
  if (!user) {
    response.status(401)
    return
  }
  
  // This code path will only get executed if the username is
  // correct, allowing an attacker to infer the existence of a
  // username by timing how long the HTTP response takes.
  bcrypt.compare(request.params.password, user.hashedPassword, (error, matched) => {
    if (matched) {
      request.session.username = request.params.username
      self.redirect('/')
    }
    else {
      response.status(401)
    }
  })
}) 