Message4935
Also note that the CSRF token may need to be a single use token.
So as soon as a post is made with the token, it gets masked/rewritten
and is no longer valid.
This protects again BREACH types of attacks against the token.
http://breachattack.com/
which recommends the following mitigation methods:
Disabling HTTP compression
Separating secrets from user input
Randomizing secrets per request
Masking secrets (effectively randomizing by XORing with a random
secret per request)
Protecting vulnerable pages with CSRF
Length hiding (by adding random number of bytes to the responses)
Rate-limiting the requests |
|
Date |
User |
Action |
Args |
2013-10-09 20:31:12 | rouilj | set | messageid: <1381350672.47.0.795616678964.issue2550690@psf.upfronthosting.co.za> |
2013-10-09 20:31:12 | rouilj | set | recipients:
+ rouilj, schlatterbeck, ber, joseph_myers, eadler |
2013-10-09 20:31:12 | rouilj | link | issue2550690 messages |
2013-10-09 20:31:11 | rouilj | create | |
|