Implemented Improve csrf_token to mitigate BREACH attacks

AlexT

AlexT

Well-known member
XenForo sites running on SSL/TLS may be subject to BREACH attacks. To mitigate the attack, one could improve the csrf_token generated by XenForo. Currently it consists of a random string of 40 characters. Instead, it is suggested to do the following:

The researchers who discovered the attack suggest mitigating it by "masking" secret tokens so they are different on each request. This implements their suggested masking approach from section 3.4 of the paper (PDF). The authenticity token is delivered as a 64-byte string, instead of a 32-byte string. The first 32 bytes are a one-time pad, and the second 32 are an XOR between the pad and the "real" CSRF token. The point is not to hide the token from the client, but to make sure it is different on every request so it's impossible for an attacker to recover by measuring compressability.
Click to expand...
 
Upvote 0
This suggestion has been implemented. Votes are no longer accepted.

Similar threads

K
Fixed \XF\Util\Random::getRandomString() seems suspectible to timing attacks
Replies
4
Views
709
XF Bug Bot
XF Bug Bot
K
  • Suggestion Suggestion
Duplicate Add an option to disable CSRF checks for modern browsers
Replies
0
Views
1K
Kirby
K
digitalpoint
XF 2.2 ChatGPT rewriting JavaScript
Replies
17
Views
1K
Forsaken
Forsaken
yodiceman
Duplicate Unfurl error due to apostrophe in internal link
Replies
1
Views
535
Jeremy P
Jeremy P
tristan9
Xenforo and edge caches
Replies
5
Views
1K
motowebmaster
motowebmaster
Top Bottom