Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add mitigation against BREACH #18254

Merged
merged 2 commits into from
Aug 24, 2015
Merged

Add mitigation against BREACH #18254

merged 2 commits into from
Aug 24, 2015

Conversation

LukasReschke
Copy link
Member

While BREACH requires the following three factors to be effectively exploitable we should add another mitigation:

  1. Application must support HTTP compression
  2. Response most reflect user-controlled input
  3. Response should contain sensitive data

Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed. (though there are parts such as the search box…)

To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.

cc @owncloud/security-team Care to review?

@LukasReschke LukasReschke added this to the 8.2-current milestone Aug 13, 2015
LukasReschke
LukasReschke reviewed Aug 13, 2015
View reviewed changes
lib/private/util.php
@@ -1057,7 +1057,7 @@ public static function getInstanceId() {
/**
* Register an get/post call. Important to prevent CSRF attacks.
*
* @return string Generated token.
* @return string XOR'd CSRF token with an appended random separated by `:`
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/XOR/encrypted/

@LukasReschke
Copy link
Member Author 

11:19:19 Waiting for Oracle initialization ... 
11:21:19 Kill the docker 9582223b08afafe6c92e5235270226d78f0d4c8349a817772a91322cb5c18c20
11:21:20 9582223b08afafe6c92e5235270226d78f0d4c8349a817772a91322cb5c18c20
11:21:20 Build step 'Conditional step (single)' marked build as failure

sigh

bantu
bantu reviewed Aug 13, 2015
View reviewed changes
lib/private/appframework/http/request.php
@@ -415,8 +421,25 @@ public function passesCSRFCheck() {
return false;
}

if(is_null($this->crypto)) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove this and the null default?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed. Needed some small change to base.php though since autoloading is not available at this stuff and cyclic dependency fun…

@LukasReschke
Add mitigation against BREACH
8313a3f 
While BREACH requires the following three factors to be effectively exploitable we should add another mitigation:

1. Application must support HTTP compression
2. Response most reflect user-controlled input
3. Response should contain sensitive data

Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed.

To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
@LukasReschke
Remove search box $_POST since it is unused
df2ce8a
@scrutinizer-notifier
Copy link

A new inspection was created.

@LukasReschke
Copy link
Member Author

Let's try again before creating a new branch.

@ghost
Copy link

ghost commented Aug 14, 2015

🚀 Test PASSed.🚀
chuck

@LukasReschke
Copy link
Member Author

Reviews? 🙊

To test this basically take a look at the HTML source of ownCloud and check if the requesttoken is different each reload. Besides that click around and check if there are no CSRF token fails ;)

cc @MorrisJobke @nickvergessen

@LukasReschke
Copy link
Member Author

This wants reviewers lalalalalala – just 👍'ing is also fine 🙊

@DeepDiver1975 @MorrisJobke @karlitschek

@karlitschek
Copy link
Contributor

looks good 👍

@MorrisJobke
Copy link
Contributor

Did some tests - works 👍

MorrisJobke added a commit that referenced this pull request Aug 24, 2015
@MorrisJobke
Merge pull request #18254 from owncloud/mitigate-breach
40b1054 
Add mitigation against BREACH
@MorrisJobke MorrisJobke merged commit 40b1054 into master Aug 24, 2015
@MorrisJobke MorrisJobke deleted the mitigate-breach branch August 24, 2015 07:14
@lock lock bot locked as resolved and limited conversation to collaborators Aug 10, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
3 - To Review enhancement security
Projects
None yet
Milestone
8.2
Development

Successfully merging this pull request may close these issues.
6 participants
@LukasReschke @scrutinizer-notifier @karlitschek @MorrisJobke @bantu @nickvergessen