- From: Frederik Braun <fbraun@mozilla.com>
- Date: Tue, 28 Jan 2014 09:43:53 +0100
- To: public-webappsec@w3.org
On 27.01.2014 17:50, Andrew wrote: > http://en.wikipedia.org/wiki/Length_extension_attack > > One solution would to be use a HMAC construction where the 'key' > material is composed from resource meta data, including the verified > Content-Length, or to mandate a hash function immune to such attacks, > such as SHA-3. Thank you for bringing this to our attention. I actually had someone come up to me yesterday, to raise this very same point. It would be an interesting challenge to set oneself, to make a working lengh extension that not only contains valid JavaScript, but also does something evil (one could imagine appending "eval(name);//" and then append some more to fix up the hash - maybe that'll work. But I'd rather we don't take the chances ;) So maybe an HMAC makes more sense - who'd pick the key? Is it just something encoded within the attribute by the website author then? What do the others think? Frederik
Received on Tuesday, 28 January 2014 08:44:26 UTC