On Mon, Aug 19, 2013 at 09:57:14PM +0200, Koen Deforche wrote:
> Since we do not rely on cookies, there is no need for CSRF tokens. The
> BREACH attack doesn't really mention very well, IMHO, that it relies
> on cookies for session tracking in the first place since that's the
> starting point to trying to guess a secret in the page by generating
> requests from the user's browser.
Thanks very much for your reply!
Yes, that makes more sense. If I understand correctly, the entire attack
relies on:
- the CSRF is given to the server via cookie automatically
- the CSRF consistently comes back to the user via HTML
- there is a similar feedback loop where the attacker can
provide his own ID in the URL, and it also comes back
via the HTML in some other place
In Wt's case, there is generally no cookie value at all, and if the
attacker guesses a different ID via URL, then it just starts a new
session and that new ID comes back in the HTML.
Is that close?
Thanks,
- Chris
------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
witty-interest mailing list
witty-interest@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/witty-interest
