- From: Roland Zink <roland@zinks.de>
- Date: Thu, 24 Jul 2014 18:37:18 -0400
- To: HTTP Working Group <ietf-http-wg@w3.org>
- Message-Id: <6F90AC30-7C28-4181-AEB9-373FEB8D9D8B@zinks.de>
What if an attacker can get the path through an refer header? > Am 22.07.2014 um 02:08 schrieb Roberto Peon <grmocg@gmail.com>: > > Like so: http://en.wikipedia.org/wiki/CRIME > -=R > >> On Mon, Jul 21, 2014 at 10:40 PM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: >> In message <CAP+FsNcaxeEhEpQCAteQUZGn03OXTv=MR8xz9nLZVDSU9nf8iA@mail.gmail.com> >> , Roberto Peon writes: >> >> >If the path contains: >> >/foo/RANDOM_NUMBER/bar >> > >> >and the query contains: >> >q=foo&user=SOME_SECRET_ID >> > >> >Then guessing: >> >/foo/RANDOM_NUMBER/bar?q=foo&user=SOME_SECRET_ID >> > >> >is far, far FAR more difficult than guessing: >> > q=foo&user=SOME_SECRET_ID >> >alone or >> > /foo/RANDOM_NUMBER/bar >> >alone. >> >> Only if you have an oracle to tell you that you got a hit. >> >> Could you outline exactly how this attack would work ? >> >> -- >> Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 >> phk@FreeBSD.ORG | TCP/IP since RFC 956 >> FreeBSD committer | BSD since 4.3-tahoe >> Never attribute to malice what can adequately be explained by incompetence. >
Received on Thursday, 24 July 2014 22:37:42 UTC