BREACH attack

Description

This web application is potentially vulnerable to the BREACH attack.

An attacker with the ability to:

  • Inject partial chosen plaintext into a victim's requests
  • Measure the size of encrypted traffic
can leverage information leaked by compression to recover targeted parts of the plaintext.

BREACH (Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext) is a category of vulnerabilities and not a specific instance affecting a specific piece of software. To be vulnerable, a web application must:

  • Be served from a server that uses HTTP-level compression
  • Reflect user-input in HTTP response bodies
  • Reflect a secret (such as a CSRF token) in HTTP response bodies

Remediation

The mitigations are ordered by effectiveness (not by their practicality - as this may differ from one application to another).

  • Disabling HTTP compression
  • Separating secrets from user input
  • Randomizing secrets per request
  • Masking secrets (effectively randomizing by XORing with a random secret per request)
  • Protecting vulnerable pages with CSRF
  • Length hiding (by adding random number of bytes to the responses)
  • Rate-limiting the requests

References