I'm hoping someone will be able to help my understanding of this issue and whether or not I need to take any extra steps to protect my application.
Reading up on this particular vulnerability, it seems to impact servers that match the following criteria:
- Be served from a server that uses HTTP-level compression
- Reflect user-input in HTTP response bodies
- Reflect a secret (such as a CSRF token) in HTTP response bodies
It also seems that mitigation steps, in order of effectiveness are:
- Disabling HTTP compression
- Separating secrets from user input
- Randomizing secrets per request
- Masking secrets (effectively randomizing by XORing with a random secret per request)
- Protecting vulnerable pages with CSRF
- Length hiding (by adding random number of bytes to the responses)
- Rate-limiting the requests
In the view of my page, I'm calling the helper method @Html.AntiForgeryToken which creates the corresponding input and cookie when I visit the form. From looking over what this helper method does, it seems to create a new, unique token each time the page is loaded, which seems to meet point 3 in the mitigation steps and the act of using a CSRF token in the first place meets point 5.
Disabling HTTP compression seems to be widely regarded as 'not good for performance' and from some other resources I've been reading, length hiding could possibly cause issues for functionality like file upload (which this page uses)
So, after all that, the only thing that I can really thing to look at now is separating secrets from user input. I thought about maybe trying to put the CSRF token value into the session.....or am I completely over-thinking this and is the current implementation of '@Html.AntiForgeryToken` good enough to protect us?
1 Answers
Answers 1
Yes if the CSRF token is random, then it mitigates the attack. As long as you aren't sending any other secrets with user input forms you should be okay.
Alternatively,
Disable compression for on pages that have user input is a possibility as well. Checkout this answer Can gzip compression be selectively disabled in ASP.NET/IIS 7?
0 comments:
Post a Comment