Changes between Initial Version and Version 2 of Ticket #34170


Ignore:
Timestamp:
Nov 20, 2022, 4:50:04 PM (2 years ago)
Author:
Nick Pope
Comment:

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #34170

    • Property Has patch set
    • Property Patch needs improvement set
    • Property Triage Stage UnreviewedAccepted
    • Property Version 4.1dev
    • Property Keywords breach htb gzip added
    • Property Owner changed from nobody to Andreas Pelme

  • Ticket #34170 – Description

    initial v2  
    1 The BREACH attach (https://breachattack.com/) was published in 2013. The Django project responded soon after (https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/) suggesting users to basically stop using gzip. CSRF masking was implemented in 2016 (#20869).
     1The BREACH attack (https://breachattack.com/) was published in 2013. The Django project responded soon after (https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/) suggesting users to basically stop using gzip. CSRF masking was implemented in 2016 (#20869).
    22
    33In April 2022, a paper called "Heal The Breach" was published, suggesting a mitigation that does not depend on masking specific tokens or injecting data into HTML. It is rather a generic and effective mitigation. It suggests adding randomness to the compressed response by injecting random bytes in the gzip filename field of the gzip stream: https://ieeexplore.ieee.org/document/9754554
Back to Top