Security: Wt and the new BREACH vulnerability

  • Posted by koen
  • Wednesday, August 7, 2013 @ 16:13

A new vulnerability, BREACH, was presented last week on Thursday at the Black Hat security conference in Las Vegas.

The vulnerability is significant since it severely breaks the effectiveness of SSL to secure a web application.

The paper provides more details, and shows how the attack can be used for example to decode the CSRF token used by web applications to protect against CSRF attacks. A CSRF attack itself is based on using cookies for session IDs (and the session implying an authenticated user). Since Wt never relies (solely) on cookies for session tracking, luckily, a Wt application is thus not vulnerable to BREACH, not in the context of CSRF or any other secret to be obtained from the web application.

Note that even if you configure session-tracking to Auto (which we do not recommend), in which case we do insert a cookie with the session ID, we never rely solely on this cookie for session identification in subsequent Ajax requests and require the session ID to be URL-encoded even then, mitigating any CSRF attack. The added value of the cookie is solely for a browser refresh to keep the session, but we do not interpret user data from such a page refresh.

Tags:
6 comments
  • Posted by anonymous
  • 11 years ago
  • Posted by anonymous
  • 10 years ago
happy using wt
  • Posted by Bolzen
  • 11 years ago
those folks are like kids -- hunting for pimples with a rifle. Patch over patch over update which in turn has a breach of its own.
  • Posted by anonymous
  • 11 years ago
sometimes a rifle is necessary
  • Posted by anonymous
  • 10 years ago
  • Posted by Bolzen
  • 11 years ago
what about an atomic bomb?

Contact us for more information
or a personalised quotation