BREACH attack

Description
  • This web application is potentially vulnerable to the BREACH attack.

    An attacker with the ability to:
    • Inject partial chosen plaintext into a victim's requests
    • Measure the size of encrypted traffic
    can leverage information leaked by compression to recover targeted parts of the plaintext.

    BREACH (Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext) is a category of vulnerabilities and not a specific instance affecting a specific piece of software. To be vulnerable, a web application must:

    • Be served from a server that uses HTTP-level compression
    • Reflect user-input in HTTP response bodies
    • Reflect a secret (such as a CSRF token) in HTTP response bodies
Remediation
  • The mitigations are ordered by effectiveness (not by their practicality - as this may differ from one application to another).

    • Disabling HTTP compression
    • Separating secrets from user input
    • Randomizing secrets per request
    • Masking secrets (effectively randomizing by XORing with a random secret per request)
    • Protecting vulnerable pages with CSRF
    • Length hiding (by adding random number of bytes to the responses)
    • Rate-limiting the requests
References