This article is a part of our Web Security Knowledge Base (back to index)

Why Timestamp Disclosure can be dangerous

A timestamp disclosed by the application server or web server can be used to retrieve other sensitive information e.g. when used as a salt or a token during authentication or encryption.

Typically a timestamp is disclosed as a Unix epoch time, see https://en.wikipedia.org/wiki/Unix_time, e.g. 1594200097 represents Wednesday July 8 2020 09:21:37 GMT.

If the server timestamp is used e.g. as a salt to hash specific sensitive information (authentication code, password, anti-CSRF token) the attacker can retrieve it from the server and synchronize the local attacking code to minimize the number of brute force attempts required to reproduce the result of the application hashing algorithm.

How to fix Timestamp Disclosure

Any Timestamp Disclosure alerts should be manually reviewed to confirm that a) these are actual server timestamp leaks, b) the disclosed timestamp data is not sensitive as it is not used in any form to generate any sensitive information on the server side.

If a given Timestamp Disclosure alert is not critical it can be ignored.

Otherwise the application code should be modified not to disclose current timestamp information and not to rely on a local server timestamp as generally timestamp synchronization is not a difficult task for an attacker.

How does ScanRepeat report Timestamp Disclosure

Our scanner looks for any occurrences of response fragments in Unix epoch time format and reports their location along with standard date/time representations for manual review.

Would you like to test your application now against this problem? Sign up for our free trial

Scan Your Web App Now
Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free