From 40ff09e58a9fe1dd9d46099a0ff9f6977798fe37 Mon Sep 17 00:00:00 2001
From: sebasrevuelta <122784773+sebasrevuelta@users.noreply.github.com>
Date: Wed, 13 Mar 2024 02:34:54 +0100
Subject: [PATCH] Update timing_attack_node.yaml (#113)

Add more explanation about the attack.
Remove Snyk reference.
Add NodeJs reference.
---
 njsscan/rules/semantic_grep/crypto/timing_attack_node.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/njsscan/rules/semantic_grep/crypto/timing_attack_node.yaml b/njsscan/rules/semantic_grep/crypto/timing_attack_node.yaml
index 4d6c0e5..2aa902b 100644
--- a/njsscan/rules/semantic_grep/crypto/timing_attack_node.yaml
+++ b/njsscan/rules/semantic_grep/crypto/timing_attack_node.yaml
@@ -485,7 +485,8 @@ rules:
               return api != $X;
     message: >-
       String comparisons using '===', '!==', '!=' and '==' is vulnerable to timing attacks.
-      More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/
+      A timing attack allows the attacker to learn potentially sensitive information by, for example, measuring how long it takes for the application to respond to a request. 
+      More info: https://nodejs.org/en/learn/getting-started/security-best-practices#information-exposure-through-timing-attacks-cwe-208
     languages:
       - javascript
     severity: WARNING