A server vulnerable for BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) allows an attacker to decrypt cookie contents such as session information. Learn here, how you can prevent SSL BREACH.
CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
A server vulnerable for BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) allows an attacker to decrypt cookie contents such as session information. Using “gzip” or “deflate” data compression via the content-encoding option within HTTP the encrypted data can be guessed by using brute-force search followed by a divide-and-conquer search.
For a successful BREACH attack, several requirements need to be met:
- The website is transferred compressed.
- The website reflects user input (e.g. a username which is given from the login form)
- The website contains a secret (e.g. a CSRF token)
The easiest form of mitigation is disabling HTTP compression, which – however – will lead to bigger sites that need to be transferred. One possibility is to disable the compression-only if the referrer is not the own application.
To disable HTTP compression from requests with different referrers, use the following settings:
SetOutputFilter DEFLATE BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0 no-gzip BrowserMatch \bMSIE !no-gzip !gzip-only-text/html SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|zip|gz|tgz|htc)$ no-gzip dont-vary # BREACH migitation SetEnvIfNoCase Referer .* self_referer=no SetEnvIfNoCase Referer ^https://www\.example\.org/ self_referer=yes SetEnvIf self_referer ^no$ no-gzip Header append Vary User-Agent env=!dont-vary