Skip to content

Loading…

Mitigation of BREACH #1480

Closed
wants to merge 1 commit into from

1 participant

@fmpwizard
Lift Web Framework member

Based on the discussion from this thead
https://groups.google.com/d/topic/liftweb/_WFVrPPu-4E/discussion

Change the size of the response headers on each request.

@fmpwizard fmpwizard was assigned
@fmpwizard
Lift Web Framework member

closing until we get PoC software and find the best solution. See related mailing list thread for more info

@fmpwizard fmpwizard closed this
@fmpwizard fmpwizard deleted the diego_issue_1480 branch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Aug 6, 2013
  1. @fmpwizard
Showing with 24 additions and 1 deletion.
  1. +24 −1 web/webkit/src/main/scala/net/liftweb/http/LiftRules.scala
View
25 web/webkit/src/main/scala/net/liftweb/http/LiftRules.scala
@@ -1536,9 +1536,32 @@ class LiftRules() extends Factory with FormVendor with LazyLoggable {
@volatile var cometGetTimeout = 140000
/**
+ * Set to false if you are using some other way to prevent the BREACH attack
+ */
+ val breachMitigation: FactoryMaker[Boolean] = new FactoryMaker(() => true) {}
+
+ /**
* Compute the headers to be sent to the browser in addition to anything else that's sent
*/
- val listOfSupplimentalHeaders: FactoryMaker[List[(String, String)]] = new FactoryMaker(() => List(("X-Lift-Version", liftVersion), ("X-Frame-Options", "SAMEORIGIN"))) {}
+ val listOfSupplimentalHeaders: FactoryMaker[List[(String, String)]] = {
+ import scala.util.Random
+ /**
+ * We add 10 fake JSESSIONID strings to the header
+ * Each sessionid has a random string and random length between 10 and 25 character long
+ *
+ */
+ val numberOfFakeSessionIds = 1 to 10
+ def length = (10 to 25)(Random.nextInt(15))
+
+ def noBreachSessionIds = numberOfFakeSessionIds.foldLeft(new StringBuilder){
+ case (acc, _ ) =>
+ acc.append ( ("JSESSIONID=" + randomString(length)) + "; " + ("JSESSIONID=" + randomString(length) + "; ") ) }
+
+ new FactoryMaker(() => List(
+ ("X-Lift-Version", liftVersion), ("X-Frame-Options", "SAMEORIGIN"), ("X-NO-BREACH", noBreachSessionIds.toString())
+ )) {}
+
+ }
@volatile var supplimentalHeaders: HTTPResponse => Unit = s => listOfSupplimentalHeaders.vend.foreach{case (k, v) => s.addHeaders(List(HTTPParam(k, v)))}
Something went wrong with that request. Please try again.