[wp-trac] [WordPress Trac] #60205: Automatically protect misconfigured sites from BREACH attacks

Tue Jan 9 20:05:54 UTC 2024

#60205: Automatically protect misconfigured sites from BREACH attacks
-------------------------+------------------------------
 Reporter:  kkmuffme     |       Owner:  (none)
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  Security     |     Version:  trunk
 Severity:  normal       |  Resolution:
 Keywords:               |     Focuses:
-------------------------+------------------------------

Comment (by kkmuffme):

 Turns out random_int isn't enough.

 but this is:
 `<meta name="<?php echo base64_encode( random_bytes( random_int( 50, 100 )
 ) ); ?>">`

 As the referenced link explains a 10 byte string will increase 500 fold, a
 100 byte 500k fold. Therefore I chose a longer value now too.

 ---

 Also adding this to any of header/body/footer isn't enough if HTTP 1.1
 with chunked encoding is used or with HTTP2/3 - since each "chunk" is
 encoded separately, and the length of each chunk can be analyzed and
 therefore making HTB useless.
 This is the reason why the paper changes the gzip header value directly,
 as putting it there at a random length ensures all subsequent chunks won't
 have the same length as a previous request (since all are shifted by the
 length of the random token in the beginning)

 Therefore we need to add it as early as possible in all cases - which
 means in the <head> section.

 For pages that do not have a hook there, adding a `do_action(
 'breach_protection' );` could be an option, which we hook to and output
 the meta tag.

 e.g.

 {{{#!php
 <?php
 /**
  * output meta tag for SSL BREACH attack protection
  * https://core.trac.wordpress.org/ticket/60205
  * @return void
  */
 function wp_output_breach_protection() {
         if ( empty( $_GET ) && empty( $_POST ) ) {
                 return;
         }

         /**
          * if the user isn't logged in any nonces/CSRF tokens aren't user
 specific
          * if you hooked on the 'nonce_user_logged_out' hook, you also
 need to hook here
          *
          * @param bool whether the page can contain user specific CSRF
 tokens like nonces
          */
         $can_contain_user_specific_csrf = apply_filters(
 'can_contain_user_specific_csrf', is_user_logged_in() );
         if ( ! $can_contain_user_specific_csrf ) {
                 return;
         }

         echo '<meta name="' . base64_encode( random_bytes( random_int( 50,
 100 ) ) ) . '">';
 }
 // only hooks where the expected HTML and we might have CSRF tokens on the
 page
 add_action( 'wp_head', 'wp_output_breach_protection', PHP_INT_MIN, 0 );
 add_action( 'admin_head', 'wp_output_breach_protection', PHP_INT_MIN, 0 );
 add_action( 'customize_controls_head', 'wp_output_breach_protection',
 PHP_INT_MIN, 0 );
 add_action( 'embed_head', 'wp_output_breach_protection', PHP_INT_MIN, 0 );
 add_action( 'breach_protection', 'wp_output_breach_protection', 10, 0 );
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/60205#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform