BREACH Attack on HTTP Compression

BREACH Attack on HTTP Compression

Risk: medium

Description

This vulnerability indicates that the server is susceptible to BREACH attacks, which exploit HTTP compression to extract sensitive information from encrypted HTTPS responses by measuring compressed response sizes.

BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) occurs when secrets (CSRF tokens, session data) and user input appear in the same compressed HTTP response. Compression algorithms create detectable patterns that reveal information about the secret.

How It Works:

1. Malicious JavaScript makes requests to target site using victim's cookies
2. Attacker injects guesses via URL parameters or form data
3. When the guess matches part of a secret, the response compresses better (smaller size)
4. By measuring response sizes, attacker extracts secrets incrementally

Requirements:

• HTTP compression enabled (gzip/deflate)
• User input reflected in HTTP response bodies
• Secrets in the same responses as user input
• Multiple requests allowed

Example Scenario: A web application includes a CSRF token in a JSON response along with user-provided search terms. An attacker crafts requests with different search terms that partially match the CSRF token pattern, observing compressed response sizes to gradually extract the entire token.

The attack can extract secrets with thousands of requests in under a minute, leading to session hijacking, CSRF bypass, and exposure of sensitive data.

Recommendation

To mitigate BREACH attacks, implement the following strategies:

Primary Mitigations:

1. Disable HTTP Compression for Sensitive Pages - Turn off gzip/deflate for responses containing secrets and compress static assets only, not dynamic content with secrets.

2. Separate Secrets from User Input - Ensure that sensitive data never appears in the same HTTP response as user-controlled input. Use separate endpoints for sensitive operations that don't echo user input.

3. Randomize Secrets Per Request - Generate new CSRF tokens frequently and rotate session identifiers regularly to limit the window of opportunity for attackers.

Implementation Examples:

# Disable compression for sensitive endpoints
location /api/csrf { gzip off; }
location /user/ { gzip off; }

# Flask: Disable compression middleware
app.config['COMPRESS_MIMETYPES'] = []

# Django: Remove GZipMiddleware from MIDDLEWARE setting
MIDDLEWARE = [
    # ... other middleware, but NOT:
    # 'django.middleware.gzip.GZipMiddleware',
]

Additional Defenses:

• Add random padding to responses containing secrets
• Implement rate limiting (10 requests per minute for user input endpoints)
• Monitor for suspicious request patterns indicating potential attacks
• Use double-submit cookie CSRF protection methods

Links

• BREACH Attack Official Site
• CVE-2013-3587

Standards

• SOC2_CONTROLS:
  • CC_6_7
  • CC_7_1
• CCPA:
  • CCPA_1798_150
• GDPR:
  • ART_32
• PCI_STANDARDS:
  • REQ_4_1
  • REQ_6_5
  • REQ_11_3