问题
I have been advised to implement the following items in our ASP.NET MVC Core site to prevent a BREACH attack. How do you implement them?
- Separate the secrets from the user input.
- Randomize the secrets in each client request.
- Mask secrets (effectively randomizing by XORing with a random secret per request).
- Obfuscate the length of web responses by adding random amounts of arbitrary bytes.
We have already implemented Anti-Cross Site Forgery Tokens on every form and turned off Http Level Compression.
Any help would be greatly appreciated.
This is reported by this tool:
https://www.acunetix.com/
Thank you in advance.
回答1:
All I did was disabling HTTP compression in IIS and the BREACH ATTACH issue was no longer raise by our security scans.
回答2:
As mentioned by @Isa "Disabling HTTP compression in IIS"
you can find the tips in this article
there is a section, titled "HOW TO ENABLE OR DISABLE STATIC AND DYNAMIC COMPRESSION FOR A SITE OR APPLICATION"
I have disabled the dynamic compression, retested and passed.
来源:https://stackoverflow.com/questions/39858909/how-to-prevent-breach-attack-in-asp-net-mvc-core