Side Channel Attack in Adonisjs with Dynamodb

A side channel attack in the AdonisJS + DynamoDB context leverages timing or behavioral differences in how the framework interacts with DynamoDB to infer sensitive information. When AdonisJS processes authentication or data retrieval, it typically queries DynamoDB using the AWS SDK. If the application does not enforce constant-time operations or consistent error handling, subtle timing variations can expose information about the existence of users, the validity of tokens, or the structure of stored data.

For example, consider an endpoint that accepts an email address to initiate a password reset. If the code first checks whether the email exists in DynamoDB and only then returns a generic response, an attacker can measure response times to determine whether a given email is registered. In AdonisJS, this often occurs in controller methods that perform conditional DynamoDB get or query calls before returning a standardized message. The AWS SDK for JavaScript returns promises; if resolution or rejection timing differs based on whether an item exists, an attacker can use statistical analysis to infer data.

DynamoDB-specific behaviors that amplify this risk include variations in latency based on item size, index usage, and consumed capacity. If AdonisJS routes handle successful and error cases with different code paths—for instance, logging detailed errors for missing items but suppressing them for found items—timing discrepancies become measurable. A concrete attack pattern: an attacker sends many requests with guessed user IDs or email addresses and observes response times. Longer responses may indicate a cache miss or a read from a secondary index, revealing which records exist.

Another vector involves unauthenticated endpoints that expose DynamoDB metadata. If AdonisJS returns detailed validation or SDK errors, an attacker can distinguish between network issues, provisioned capacity problems, and successful queries. This is particularly relevant when using features like DynamoDB Streams or conditional writes; misconfigured error handling can inadvertently signal internal state. The LLM/AI Security checks in middleBrick highlight such risks by testing for information leakage through error messages and timing anomalies, a useful capability when assessing AdonisJS services that integrate with DynamoDB.

To contextualize, here is a realistic AdonisJS controller snippet that performs a DynamoDB get without constant-time guarantees, creating a potential side channel:

import { DateTime } from 'luxon'
import { DynamoDB } from '@aws-sdk/client-dynamodb'
import { marshall, unmarshall } from '@aws-sdk/util-dynamodb'

const client = new DynamoDB({})

export default class SessionController {
  async store({ request, response }) {
    const { tokenId } = request.only(['tokenId'])
    // Non-constant-time lookup: timing may reveal token existence
    const result = await client.get({
      TableName: process.env.DYNAMO_TABLE,
      Key: marshall({ token_id: tokenId })
    })
    if (!result.Item) {
      response.status(404).json({ error: 'Invalid token' })
      return
    }
    const item = unmarshall(result.Item)
    // Further processing...
    response.json({ valid: true, expiresAt: item.expiresAt })
  }
}

In this example, the time taken for client.get differs depending on whether the item exists and the network path taken. An attacker observing many requests can build a statistical profile. Mitigations include ensuring uniform response paths, introducing artificial delays, and using DynamoDB queries that always consume similar read capacity regardless of item existence.

Remediation focuses on making operations constant-time where feasible, standardizing error handling, and avoiding information leakage through timing or error messages. Below are concrete AdonisJS code examples that address the side channel risks when working with DynamoDB.

1. Constant-time existence check with uniform response

Instead of branching based on item existence, always perform a read with the same cost and return a generic response. Use DynamoDB get with a placeholder item to simulate work when the item is absent:

import { DynamoDB } from '@aws-sdk/client-dynamodb'
import { marshall, unmarshall } from '@aws-sdk/util-dynamodb'

const client = new DynamoDB({})

export default class TokenController {
  async verify({ request, response }) {
    const { tokenId } = request.only(['tokenId'])
    const result = await client.get({
      TableName: process.env.DYNAMO_TABLE,
      Key: marshall({ token_id: tokenId })
    })
    // Always unmarshall a default shape to keep processing time similar
    const item = result.Item ? unmarshall(result.Item) : { token_id: tokenId, exists: false }
    // Simulate work if item was not found to mask timing differences
    if (!result.Item) {
      // Perform a lightweight dummy operation to consume comparable time
      await client.get({
        TableName: process.env.DYNAMO_TABLE,
        Key: marshall({ token_id: 'dummy_placeholder_key_for_timing' })
      })
    }
    response.json({ valid: !!result.Item, token: item })
  }
}

This approach reduces timing variance by ensuring the code path and DynamoDB operations remain consistent regardless of whether the token exists.

2. Standardized error handling to prevent information leakage

Ensure that all errors from DynamoDB are caught and transformed into generic responses, avoiding detailed messages that could inform an attacker about internal state:

import { DynamoDB } from '@aws-sdk/client-dynamodb'
import { marshall } from '@aws-sdk/util-dynamodb'

const client = new DynamoDB({})

export default class UserController {
  async create({ request, response }) {
    const payload = request.only(['email'])
    try {
      await client.put({
        TableName: process.env.DYNAMO_TABLE,
        Item: marshall(payload)
      })
      response.status(201).json({ message: 'Created' })
    } catch (err) {
      // Log the detailed error server-side; return generic response
      console.error('DynamoDB error:', err)
      response.status(500).json({ message: 'Request failed' })
    }
  }
}

By catching exceptions and returning a uniform error payload, you prevent timing and message-based side channels that could distinguish between network errors, conditional check failures, and duplicate item violations.

3. Use queries with consistent pagination patterns

If your endpoint lists resources, use queries with fixed limit and always iterate the same number of pages internally, even when fewer results exist. This prevents timing differences based on data volume:

import { DynamoDB } from '@aws-sdk/client-dynamodb'
import { marshall, unmarshall } from '@aws-sdk/util-dynamodb'

const client = new DynamoDB({})

export default class SearchController {
  async index({ request, response }) {
    const { q } = request.only(['q'])
    const limit = 10
    let lastKey = null
    const collected = []
    // Always perform at least one query; keep loop structure constant
    for (let i = 0; i < 1; i++) {
      const input = {
        TableName: process.env.DYNAMO_TABLE,
        IndexName: 'gsi-email',
        KeyConditionExpression: 'email = :email',
        ExpressionAttributeValues: marshall({ ':email': q }),
        Limit: limit
      }
      const result = await client.query(input)
      collected.push(...(result.Items || []))
      lastKey = result.LastEvaluatedKey
      // Optionally continue with deterministic dummy reads if needed to mask timing
    }
    response.json({ results: collected.map(unmarshall) })
  }
}

These patterns help ensure that an attacker cannot infer data contents or internal behavior by measuring response times or observing error variations. middleBrick can validate such implementations by scanning endpoints for inconsistent error handling and timing anomalies, providing findings mapped to frameworks like OWASP API Top 10.