New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF tokens are vulnerable to a BREACH attack #4001
Labels
Milestone
Comments
The proposed solution will be to introduce a default method to
Then override the default method in Targeted for 5.0 RELEASE which will support Java 8. |
@jgrandja care about potential timing-attack with your proposal. Using |
This was referenced Apr 24, 2023
This was referenced Jun 4, 2023
This was referenced Jul 31, 2023
This was referenced Aug 28, 2023
This was referenced Oct 16, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Summary
The CSRF tokens generated by Spring are vulnerable to a BREACH attack. More details at http://breachattack.com/
I'll create a pull request with a proposed code change to fix this.
Actual Behavior
Spring always returns the same CSRF token to the browser.
Expected Behavior
The simplest way to mitigate this would be to return a token which is composed of a random per secret request XORed with an internal CSRF token. This effectively means that the browser receives a new CSRF token with each request.
Configuration
This only occurs when you turn on CSRF protection in Spring and also have HTTP compression enabled somewhere in your web server stack.
Version
Currently exists in latest version in Git.
Sample
N/A
The text was updated successfully, but these errors were encountered: