Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
CSRF tokens are vulnerable to a BREACH attack #4001
The CSRF tokens generated by Spring are vulnerable to a BREACH attack. More details at http://breachattack.com/
I'll create a pull request with a proposed code change to fix this.
Spring always returns the same CSRF token to the browser.
The simplest way to mitigate this would be to return a token which is composed of a random per secret request XORed with an internal CSRF token. This effectively means that the browser receives a new CSRF token with each request.
This only occurs when you turn on CSRF protection in Spring and also have HTTP compression enabled somewhere in your web server stack.
Currently exists in latest version in Git.
referenced this issue
Aug 30, 2016
The proposed solution will be to introduce a default method to
Then override the default method in
Targeted for 5.0 RELEASE which will support Java 8.