Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (a.k.a BREACH), is a vulnerability that occurs when HTTP compression is enabled over HTTPS. It is based on CRIME vulnerability.
What is BREACH?
BREACH is allowing to detection of private secrets although they are transferred over HTTPS, as encrypted. With this attack, threat actors may be able to detect secret keys such as CSRF tokens. With HTTPS, web applications send data as encrypted, you cannot understand the data. But you can read the length of the response. Threat actors do brute force against web applications by sending a huge number of requests then they detect secrets byte by byte.
How to Detect BREACH Attack Vulnerability?
For being vulnerable to BREACH attack, the applications must include the following components:
- The application must be served over HTTPS,
- HTTP compression must be enabled,
- The application must reflect a user-provided input in response,
- The application must reflect a secret in the HTTP response.
If these components are present in your application, this means you are vulnerable against BREACH attack. Attackers may able to detect your client’s secret tokens with some basic scripting.
How do the Attackers Use BREACH Attack Vulnerability?
Attackers create a malicious website that includes scripts. These scripts send the huge number of requests to the vulnerable website.
After detecting the vulnerability, they cheat users (let’s call them victims) of the target website. They fool the victims to load the malicious website. After victims load the attacker’s malicious website, the scripts run and send the huge number of requests to the vulnerable website. Then the attacker detects the secret of the victim.
How to Mitigate BREACH?
- Disable HTTP compression
- Create random secrets for each request, don’t use same secrets
- Use CSRF protection
- Mask length of the response