Bleichenbacher Attack in Express with Hmac Signatures

A Bleichenbacher attack is a cryptographic padding oracle technique originally described for PKCS#1 v1.5 encryption and signatures. In the context of Express applications that use Hmac Signatures for request integrity, a similar timing-based oracle can emerge when signature verification leaks information about whether a provided signature is valid before completing a constant-time comparison. If an Express endpoint accepts a signature in a header or query parameter and performs per-character or per-byte equality checks, an attacker can send many modified requests and measure response times to infer the correct signature byte-by-byte.

Express itself does not implement Hmac signature verification; developers typically use libraries such as Node.js crypto to create and verify signatures. A vulnerable pattern is to compute an Hmac over a request payload or selected headers and then compare the computed digest with the client-supplied signature using a simple equality operator or a non-constant-time function. Because JavaScript string comparison is not constant-time, an attacker can send slightly altered payloads and observe small timing differences that reveal when a prefix of the Hmac matches. Over many requests, this allows an attacker to recover the full Hmac key or forge valid signatures for arbitrary requests, bypassing integrity protections.

The combination of Express routing, common usage patterns for Hmac Signatures (e.g., signing a canonical representation of method, path, and body), and naive verification code creates a practical attack surface. For example, an endpoint that signs a JSON body with a shared secret and expects the signature in an x-signature header may be vulnerable if the verification routine does not use a constant-time comparison. Attackers can leverage tools to automate timing measurements and exploit this weakness to achieve privilege escalation or unauthorized actions, paralleling findings such as BOLA/IDOR and BFLA/Privilege Escalation that middleBrick detects across the unauthenticated attack surface.

Real-world analogies include timing attacks against cookie comparison and cryptographic implementations that fail to use proper encoding and verification primitives. In an Express context, this often maps to insufficient Input Validation and Authentication checks, which are among the 12 parallel security checks run by middleBrick. The scanner tests whether signature verification paths are susceptible to timing leakage by sending crafted probes and analyzing responses, reporting findings with severity and remediation guidance consistent with frameworks such as OWASP API Top 10 and PCI-DSS.

Because middleBrick performs black-box scanning without credentials or agents, it can identify whether an endpoint’s Hmac verification behavior resembles a Bleichenbacher-like oracle without needing internal architecture details. The tool checks for timing-sensitive behaviors by observing response variations across modified requests and highlights insecure verification patterns in the report alongside concrete remediation steps.

To remediate Bleichenbacher-style timing vulnerabilities in Express when using Hmac Signatures, always use a constant-time comparison function when comparing the computed signature with the client-provided signature. Node.js crypto.timingSafeEqual is the standard primitive for this purpose because it executes in constant time and prevents byte-by-byte inference attacks.

Below is a concrete, working Express example that signs a request body with Hmac using a shared secret and verifies the signature safely. The code uses crypto.createHmac to generate a hex digest and crypto.timingSafeEqual to compare digests, avoiding string-based equality checks that are vulnerable to timing attacks.

const express = require('express');
const crypto = require('crypto');

const app = express();
app.use(express.json());

const SHARED_SECRET = process.env.SHARED_SECRET; // Must be a strong, sufficiently random secret

function signPayload(payload) {
  const hmac = crypto.createHmac('sha256', SHARED_SECRET);
  hmac.update(JSON.stringify(payload));
  return hmac.digest('hex');
}

function verifySignature(payload, receivedSignature) {
  const expected = signPayload(payload);
  if (expected.length !== receivedSignature.length) {
    return false;
  }
  const expectedBuf = Buffer.from(expected, 'hex');
  const receivedBuf = Buffer.from(receivedSignature, 'hex');
  // Use timingSafeEqual to avoid timing leaks
  return crypto.timingSafeEqual(expectedBuf, receivedBuf);
}

app.post('/webhook', (req, res) => {
  const receivedSignature = req.get('x-signature');
  if (!receivedSignature) {
    return res.status(400).send('Missing signature');
  }
  const valid = verifySignature(req.body, receivedSignature);
  if (!valid) {
    return res.status(401).send('Invalid signature');
  }
  // Process the verified request
  res.json({ ok: true });
});

app.listen(3000, () => console.log('Server running on port 3000'));

Additional remediation guidance includes ensuring the shared secret is stored securely (for example, via environment variables or a secrets manager), using a strong hash such as SHA-256, and avoiding concatenation approaches that can introduce parsing ambiguities. When integrating with CI/CD, the middleBrick GitHub Action can be added to fail builds if security scores drop below your defined threshold, helping prevent vulnerable Hmac implementations from reaching production. For continuous monitoring, the Pro plan supports scheduled scans and alerts, while the MCP Server allows you to scan APIs directly from your AI coding assistant within the development environment.

Finally, always design endpoints to return uniform error responses and status codes for both invalid and missing signatures to avoid leaking information through side channels. Combine constant-time verification with broader input validation and authentication checks to reduce the risk of token recovery or privilege escalation attacks that align with findings mapped to compliance frameworks such as OWASP API Top 10 and SOC2.