-
Bug
-
Resolution: Unresolved
-
Medium
-
Frankfurt Release
-
None
spring-security-web is vulnerable to the following security exploit:
Spring Security is vulnerable to BREACH Attacks. BREACH, which stands for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext, is a compression side channel attack that relies on HTTP compression being used for the data in HTTP responses, where the length of the compressed data is exposed. Various functions across several files in Spring Security always return the same CSRF token to the browser. If HTTP compression is enabled, an attacker can exploit this using a BREACH attack by systematically guessing and retrieving the the CSRF token one character at a time.
Ref: https://www.acunetix.com/blog/articles/breach-attack/
Vulnerable File(s) and Function(s):
org/springframework/security/web/csrf/CsrfFilter.class
doFilterInternal()
org/springframework/security/web/csrf/DefaultCsrfToken.class
getToken()
org/springframework/security/web/server/csrf/CsrfWebFilter.class
containsValidCsrfToken()
org/springframework/security/web/server/csrf/DefaultCsrfToken.class
getToken()
Detection
The application is vulnerable by using this component when CSRF protection is turned on and HTTP compression is enabled somewhere in the web server stack.
Reference: https://github.com/spring-projects/spring-security/issues/4001
- mentioned in
-
Page Loading...