Topic on Project:Support desk

We are looking for guidance on remediating a security vulnerability that Invicti (Netsparker) identified on:

https://website/wiki/Special:Watchlist.

The scan has highlighted the word "token" in the http response. (ex: mw.user.tokens.set, wltoken, ...)

We are not sure of which cookie the remediation notes are referring to when it says using the SameSite Cookie attribute will mitigate the issue.

Invicti Enterprise reported a Possible BREACH Attack issue because the target web page meets the following conditions that facilitate it:

• Served from a server that uses HTTP-level compression (ie. gzip)
• Reflects user-input in the HTTP response bodies
• Contains sensitive information (such as a CSRF token) in HTTP response bodies

To mitigate the issue, we recommend the following solutions:

1. If possible, disable HTTP level compression
2. Separate sensitive information from user input
3. Protect vulnerable pages with CSRF token. The SameSite Cookie attribute will mitigate this issue, because to exploit this issue an attacker forces the victim to visit a target website using invisible frames. With the SameSite cookie attribute added, cookies that belong to the target won't be sent with a request that does not include top level navigation.
4. Hide the length of the traffic by adding a random number of bytes to the responses.
5. Add in a rate limit, so that the page maximum is reached five times per minute.

Key word being "possible". This is not an actual breach attack vulnerability, just a false positive. At least for mw.user.tokens.set.

For, wltoken, there is a theoretical possibility it might be subject to a breach-style attack, however it seems like such an attack is not really plausible in practise, and the risk is low as wltoken only controls watchlist access.

Filed phab:T374766. If you create a phabricator account and tell me your phab username, i will add you to the ticket.

Thank you! My Phabricator username is Molsen7970.