undefined | Better HN

0 pointsmike_d2y ago0 comments

Self-reply since I can't edit my comment anymore. It looks like they are fixing this:

https://github.com/superfly/tokenizer/pull/9

0 comments

The problem described in the comment above isn't really a problem: you can only inject secrets into headers (like `X-Whatever-API-Key`); you can't inject it into the payload of a request, to, like, ask for an invoice to printed with the API key as an invoice ID.

But there are headers that can get reflected --- too many of them, in too many different environments, so we're just whitelisting which headers you can use on a per-secret basis.

The much, much better vulnerability is the byte-at-a-time attack Jann found. Also fixed! A great bug.

j / k navigate · click thread line to collapse

0 pointsmike_d2y ago0 comments

Self-reply since I can't edit my comment anymore. It looks like they are fixing this:

https://github.com/superfly/tokenizer/pull/9

0 comments

tptacek2y ago

But there are headers that can get reflected --- too many of them, in too many different environments, so we're just whitelisting which headers you can use on a per-secret basis.

The much, much better vulnerability is the byte-at-a-time attack Jann found. Also fixed! A great bug.

j / k navigate · click thread line to collapse