Timestamp Disclosure - Unix

A timestamp disclosed by the application server or web server can be used to retrieve other sensitive information e.g. when used as a salt or a token during authentication or encryption.

Typically a timestamp is disclosed as a Unix epoch time, see https://en.wikipedia.org/wiki/Unix_time, e.g. 1594200097 represents Wednesday July 8 2020 09:21:37 GMT.

If the server timestamp is used e.g. as a salt to hash specific sensitive information (authentication code, password, anti-CSRF token) the attacker can retrieve it from the server and synchronize the local attacking code to minimize the number of brute force attempts required to reproduce the result of the application hashing algorithm.

Any Timestamp Disclosure alerts should be manually reviewed to confirm that a) these are actual server timestamp leaks, b) the disclosed timestamp data is not sensitive as it is not used in any form to generate any sensitive information on the server side.

If a given Timestamp Disclosure alert is not critical it can be ignored.

Otherwise the application code should be modified not to disclose current timestamp information and not to rely on a local server timestamp as generally timestamp synchronization is not a difficult task for an attacker.

Our scanner looks for any occurrences of response fragments in Unix epoch time format and reports their location along with standard date/time representations for manual review.