Saturday, February 6, 2016

What is BREACH Attack ?

In 2013, a new attack named BREACH Attack or Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext caught our attention. It affected many of our lives by stealing sensitive data transferred over the internet, even when SSL/TLS is used.

Let's understand what this BREACH Attack is actually and how the attackers perpetrate this attack.


When our browsers request for a webpage, the webpage is normally first compressed and then sent over to the browsers. This is done to utilize the bandwidth in a better way. Similarly, when we send any data through a webpage, the content is first compressed and then sent over to the server. We use HTTP compression for this purpose.

When we use SSL/TLS to send sensitive data to a server, the data is first encrypted and then sent over to the server. In case of HTTP Compression, content is first compressed and then sent over to the server.

In BREACH Attack, an attacker analyzes the responses of various responses to a victim authenticated to a web application and finds out sensitive data pertaining to the victim. That is, the attacker
sends several requests to the server impersonating the victim and looks at the responses, that is the length of the compresed contents. On analyzing the lengths of responses of various requests, the attacker finds out sensitive data of the victim.

How BREACH Attack Works

When we use HTTP compression on the webpages, the length of the compressed contents is less than that of the actual content. But, the actual length of the compressed depends much on the sensitive data pertainig to the user.

For example, study says, if a user authenticates to an ecommerce website and searches with some text in the search bar, the length of the compressed webpage will be minimum when the search text will match with the username or credit card number of the user.

So, if a user has a credit card number 123456 and he searches with various texts in the search bar of the website, the length of the compressed webpae will be minimum when the user will search with 123456.

And, this is the technique the attackers exploit to find out sensitive data of the user.

How is BREACH Attack perpetrated

To perpetrate BREACH Attack, the attacker first uses social engineering to trick the victim to click on a link. For example, the attacker may send an email to the victim saying “See some interesting pictures !” The link actually points to a script that exploits the authentication cookies stored in the victim's computer and sends the server several requests of searching with texts in the searchbar.

For example, if a victim cclicks on the link when he is already authenticated to the web application, the script will use brute force approach and send the server several requests which will search in the searchbar with texts, say from 123456 to 999999.

The attacker can now observe the length of contents of each response, and the response with minimum compressed length will contain the victim's credit card number.


Turning off HTTP compression looks a simple solution. But, this is difficult to implement as almost all browsers rely on it heavily to effectively manage the bandwidth and transmission speed.

The other possible approaches could be :

  • Protect vulnerable pages with CSRF token, which will make sure that a request coming from a browser is indeed a request sent by the user.
  • Add some random bytes to the compressed content so that all compressed webpages are of same length.
  • We can seperate sensitive data of a user from the webpages where some input text is displayed.

So, beware of various vulnerabilities so that you can protect your sensitive data in a better way and stay safe, stay secured.

No comments:

Post a Comment