How to prevent BREACH attack in ASP.NET MVC Core?

I have been advised to implement the following items in our ASP.NET MVC Core site to prevent a BREACH attack. How do you implement them?

Separate the secrets from the user input.
Randomize the secrets in each client request.
Mask secrets (effectively randomizing by XORing with a random secret per request).
Obfuscate the length of web responses by adding random amounts of arbitrary bytes.

We have already implemented Anti-Cross Site Forgery Tokens on every form and turned off Http Level Compression.

Any help would be greatly appreciated.

This is reported by this tool:

https://www.acunetix.com/

Thank you in advance.

All I did was disabling HTTP compression in IIS and the BREACH ATTACH issue was no longer raise by our security scans.

As mentioned by @Isa "Disabling HTTP compression in IIS"

you can find the tips in this article

there is a section, titled "HOW TO ENABLE OR DISABLE STATIC AND DYNAMIC COMPRESSION FOR A SITE OR APPLICATION"

I have disabled the dynamic compression, retested and passed.

来源：https://stackoverflow.com/questions/39858909/how-to-prevent-breach-attack-in-asp-net-mvc-core

标签

易学教程内所有资源均来自网络或用户发布的内容，如有违反法律规定的内容欢迎反馈！
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!