The Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH)

The Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH)

by Joshua Devey -
Number of replies: 2

Hi there,

Currently running a penetration test for a clients and getting a medium vulnerability: Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH). This seems to be coming from the yui framework and the only recommended fix for this is to turn of HTTP compression. 

We have done this but the vulnerability is still present. Has anyone else experienced this vulnerability, and if so do you have a suggestion for a fix?


Thanks 

Josh

Average of ratings: -
In reply to Joshua Devey

Re: The Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH)

by James McLean -

Not that this is justification for ignoring it, but is this being actively exploited in the wild?

Average of ratings: -
In reply to Joshua Devey

Re: The Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH)

by Damyon Wiese -
From my reading of the vulnerability, it "might" allow a man in the middle to steal a sesskey even if the connection is protected via SSL.

It would require:
A) the man in the middle to see all traffic from the victim and the server (even if it is encrypted)
B) control over the victims browser to make it submit requests to arbitrary urls (e.g. convincing them to visit a phishing site, or inject code into any "non-ssl" response)

If this is a concern, you can mitigate it completely by disabling gz compression (mod_deflate). This may impact the performance of your site.

Average of ratings: Useful (2)