nextcloud

History

Lukas Reschke 8313a3fcb3 Add mitigation against BREACH While BREACH requires the following three factors to be effectively exploitable we should add another mitigation: 1. Application must support HTTP compression 2. Response most reflect user-controlled input 3. Response should contain sensitive data Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed. To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.	2015-08-14 01:31:32 +02:00
..
DIContainerTest.php	Add mitigation against BREACH	2015-08-14 01:31:32 +02:00

Lukas Reschke 8313a3fcb3 Add mitigation against BREACH

While BREACH requires the following three factors to be effectively exploitable we should add another mitigation:

1. Application must support HTTP compression
2. Response most reflect user-controlled input
3. Response should contain sensitive data

Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed.

To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.

2015-08-14 01:31:32 +02:00

DIContainerTest.php

Add mitigation against BREACH

2015-08-14 01:31:32 +02:00