Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext (BREACH)
21 October 2022 - ArticlesBrowser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext (BREACH) is a vulnerability similar in nature to CRIME, but where CRIME affected TLS/SPDY compression, BREACH affects HTTP compression. Where an application supports HTTP compression, reflects user-input within response bodies, and includes confidential information in that body – such as a CRSF token, it may be affected by BREACH. This attack was demonstrated as practical in 2013.
Additionally, the attack is not specific to a certain version of SSL/TLS or a specific cipher suite as the exploit is against HTTP compression.
The issue can be mitigated effectively by modifying the server-size gzip compression to add randomness to the response length. Alternatively, consider disabling HTTP compression or ensure the secrets embedded within pages are randomised.
References
RC4 NOMORE
An attack against RC4 was demonstrated in 2015. This attack affects the use of RC4 in several protocols, including within Transport Layer Security (TLS) used by web browsers and web applications but also within WPA-TKIP used by wireless networks. This weakness in RC4 when applied to TLS can allow an [...]| Play | Cover | Release Label |
Track Title Track Authors |
|---|