8313a3fcb3
While BREACH requires the following three factors to be effectively exploitable we should add another mitigation: 1. Application must support HTTP compression 2. Response most reflect user-controlled input 3. Response should contain sensitive data Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed. To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least. |
||
|---|---|---|
| .. | ||
| ContentSecurityPolicyTest.php | ||
| DataResponseTest.php | ||
| DispatcherTest.php | ||
| DownloadResponseTest.php | ||
| HttpTest.php | ||
| JSONResponseTest.php | ||
| OCSResponseTest.php | ||
| RedirectResponseTest.php | ||
| RequestTest.php | ||
| ResponseTest.php | ||
| StreamResponseTest.php | ||
| TemplateResponseTest.php | ||
| requeststream.php | ||