Hey Chris, 2013/8/19 Chris Frey <cdf...@foursquare.net>: > Hi, > > I'm attempting to understand the reasons why Wt is not vulnerable to > the BREACH attack, based on this recent blog post: > > > http://www.webtoolkit.eu/wt/blog/2013/08/07/security__wt_and_the_new_breach_vulnerability/comments?wtd=23bb67q3jTKptXwUPu0fPGQeyS9QVqrY > > It says: > > "Since Wt never relies (solely) on cookies for session tracking, > luckily, a Wt application is thus not vulnerable to BREACH, > not in the context of CSRF or any other secret to be obtained > from the web application." > > So how does Wt handle session tracking? Are the CSRF id's in the URL? > Do they change randomly?
Wt URL-encodes the session ID in Ajax requests and WebSocket connections, and doesn't do full page refreshes by using a single page model with navigation implemented using the HTML5 history API (unless the client has JavaScript disabled like you seem to have?). Since we do not rely on cookies, there is no need for CSRF tokens. The BREACH attack doesn't really mention very well, IMHO, that it relies on cookies for session tracking in the first place since that's the starting point to trying to guess a secret in the page by generating requests from the user's browser. I hope that clarifies it? Regards, koen ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ witty-interest mailing list witty-interest@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/witty-interest
