BREACH attack

Description
  • This web application is potentially vulnerable to the BREACH attack.<br/><br/> An attacker with the ability to: <br/> <ul> <li>Inject partial chosen plaintext into a victim's requests</li> <li>Measure the size of encrypted traffic</li> </ul> can leverage information leaked by compression to recover targeted parts of the plaintext. <br/><br/> BREACH (Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext) is a category of vulnerabilities and not a specific instance affecting a specific piece of software. To be vulnerable, a web application must: <br/><br/> <ul> <li> Be served from a server that uses HTTP-level compression </li> <li> Reflect user-input in HTTP response bodies</li> <li> Reflect a secret (such as a CSRF token) in HTTP response bodies</li> </ul>
Remediation
  • The mitigations are ordered by effectiveness (not by their practicality - as this may differ from one application to another). <br/><br/> <ul> <li> Disabling HTTP compression</li> <li> Separating secrets from user input</li> <li> Randomizing secrets per request</li> <li> Masking secrets (effectively randomizing by XORing with a random secret per request)</li> <li> Protecting vulnerable pages with CSRF</li> <li> Length hiding (by adding random number of bytes to the responses)</li> <li> Rate-limiting the requests</li> </ul>
References