That pretty much sums it up. I just fiddled with the ways I could think to bypass the way Wt handles sessions in the context of BREACH. Couldn't think of anything.
- Thomas On 08/19/2013 01:24 PM, Chris Frey wrote: > On Mon, Aug 19, 2013 at 09:57:14PM +0200, Koen Deforche wrote: >> Since we do not rely on cookies, there is no need for CSRF tokens. The >> BREACH attack doesn't really mention very well, IMHO, that it relies >> on cookies for session tracking in the first place since that's the >> starting point to trying to guess a secret in the page by generating >> requests from the user's browser. > Thanks very much for your reply! > > Yes, that makes more sense. If I understand correctly, the entire attack > relies on: > > - the CSRF is given to the server via cookie automatically > - the CSRF consistently comes back to the user via HTML > - there is a similar feedback loop where the attacker can > provide his own ID in the URL, and it also comes back > via the HTML in some other place > > In Wt's case, there is generally no cookie value at all, and if the > attacker guesses a different ID via URL, then it just starts a new > session and that new ID comes back in the HTML. > > Is that close? > > Thanks, > - Chris > > > ------------------------------------------------------------------------------ > Introducing Performance Central, a new site from SourceForge and > AppDynamics. Performance Central is your source for news, insights, > analysis and resources for efficient Application Performance Management. > Visit us today! > http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk > _______________________________________________ > witty-interest mailing list > witty-interest@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/witty-interest ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ witty-interest mailing list witty-interest@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/witty-interest
