MVC 5 - Mitigating BREACH Vulnerability

Question

I'm hoping someone will be able to help my understanding of this issue and whether or not I need to take any extra steps to protect my application.

Reading up on this particular vulnerability, it seems to impact servers that match the following criteria:

• Be served from a server that uses HTTP-level compression
• Reflect user-input in HTTP response bodies
• Reflect a secret (such as a CSRF token) in HTTP response bodies

It also seems that mitigation steps, in order of effectiveness are:

• Disabling HTTP compression
• Separating secrets from user input
• Randomizing secrets per request
• Masking secrets (effectively randomizing by XORing with a random secret per request)
• Protecting vulnerable pages with CSRF
• Length hiding (by adding random number of bytes to the responses)
• Rate-limiting the requests

---

In the view of my page, I'm calling the helper method @Html.AntiForgeryToken which creates the corresponding input and cookie when I visit the form. From looking over what this helper method does, it seems to create a new, unique token each time the page is loaded, which seems to meet point 3 in the mitigation steps and the act of using a CSRF token in the first place meets point 5.

Disabling HTTP compression seems to be widely regarded as 'not good for performance' and from some other resources I've been reading, length hiding could possibly cause issues for functionality like file upload (which this page uses)

---

So, after all that, the only thing that I can really thing to look at now is separating secrets from user input. I thought about maybe trying to put the CSRF token value into the session.....or am I completely over-thinking this and is the current implementation of '@Html.AntiForgeryToken` good enough to protect us?

Answer 1

Isn't Anti-Forgery/CSRF Token enough for this? IN MVC you can use Html.AntiForgeryToken(). I used it before on my MVC applications and it does mitigate the breach.