Title: Signature verification : Digest should be calculated upfront using the body · Issue #5 · spacemonkeygo/httpsig · GitHub
Open Graph Title: Signature verification : Digest should be calculated upfront using the body · Issue #5 · spacemonkeygo/httpsig
X Title: Signature verification : Digest should be calculated upfront using the body · Issue #5 · spacemonkeygo/httpsig
Description: At the time of verification, we use the value of digest header(if required) for verifying signature. This opens a gate to the attackers. Suppose someone was able to tamper with the request/response body without touching any of the header...
Open Graph Description: At the time of verification, we use the value of digest header(if required) for verifying signature. This opens a gate to the attackers. Suppose someone was able to tamper with the request/response...
X Description: At the time of verification, we use the value of digest header(if required) for verifying signature. This opens a gate to the attackers. Suppose someone was able to tamper with the request/response...
Opengraph URL: https://github.com/spacemonkeygo/httpsig/issues/5
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Signature verification : Digest should be calculated upfront using the body","articleBody":"At the time of verification, we use the value of digest header(if required) for verifying signature.\r\nThis opens a gate to the attackers. Suppose someone was able to tamper with the request/response body without touching any of the headers, signature verification will still be OK because we are using the digest header sent for the verification purpose.\r\n\r\n To prevent such attack , we should \r\nEither,\r\ni) recalculate the 'digest' to be used in signature verification.\r\nOr,\r\nii)Compare the[ 'digest' header value] with the [re-calculated 'digest' from body] , if the signature calculation method for verification remains as is.","author":{"url":"https://github.com/Milkhaa","@type":"Person","name":"Milkhaa"},"datePublished":"2019-08-23T05:21:28.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/5/httpsig/issues/5"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:e5f2ca2c-eed4-20cd-6274-0a0af4ab33b7 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | B3B0:1013D2:AB4A97:EB918C:6A4DC29E |
| html-safe-nonce | 2dde6586221c7a3412704650e344f3ce4dc9896c94b48e7fea659cfe5b447d36 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJCM0IwOjEwMTNEMjpBQjRBOTc6RUI5MThDOjZBNERDMjlFIiwidmlzaXRvcl9pZCI6IjQ0NjExODY0NTY2MTAyNDkyNiIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | 1fcc589c9ae95152e737b25d676bb947731eadfbcd14fcbb34cbbc4a1ad6c433 |
| hovercard-subject-tag | issue:484336057 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/spacemonkeygo/httpsig/5/issue_layout |
| twitter:image | https://opengraph.githubassets.com/85567cdaa5e5576b894e5592c7669a88231a7300b89d1cf7f75fad528f93ee90/spacemonkeygo/httpsig/issues/5 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/85567cdaa5e5576b894e5592c7669a88231a7300b89d1cf7f75fad528f93ee90/spacemonkeygo/httpsig/issues/5 |
| og:image:alt | At the time of verification, we use the value of digest header(if required) for verifying signature. This opens a gate to the attackers. Suppose someone was able to tamper with the request/response... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | Milkhaa |
| hostname | github.com |
| expected-hostname | github.com |
| None | 06b8a6144231bf3a234f1c2e9993861e07ce98a905912b114aa386c2d7e84b33 |
| turbo-cache-control | no-preview |
| go-import | github.com/spacemonkeygo/httpsig git https://github.com/spacemonkeygo/httpsig.git |
| octolytics-dimension-user_id | 7098164 |
| octolytics-dimension-user_login | spacemonkeygo |
| octolytics-dimension-repository_id | 83375021 |
| octolytics-dimension-repository_nwo | spacemonkeygo/httpsig |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 83375021 |
| octolytics-dimension-repository_network_root_nwo | spacemonkeygo/httpsig |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 1d344bdb7547fe6bca17a59bb2b8aac3dc9532a0 |
| ui-target | canary-2 |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width