TL;DR
The BREACH attack exploits weaknesses in how websites handle filtered reflected user input (like usernames or passwords). It allows attackers to steal sensitive data by analysing network traffic. The main solution is to disable HTTP compression for sensitive content and, where possible, use HTTPS. Adding a random token to each request can also help.
What is the BREACH Attack?
BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of HTTP) is an attack that targets websites using HTTP compression (like gzip). It works like this:
- A website receives user input (e.g., a username).
- The server filters or sanitizes the input before storing it.
- The server sends the filtered data in an HTTP response, often compressed to save bandwidth.
- An attacker injects malicious content into their own request that attempts to trigger a predictable response when combined with the victim’s secret data (e.g., password).
- By observing the size of the compressed response, the attacker can deduce information about the victim’s secret.
It’s important to note BREACH doesn’t directly hack a website; it exploits how compression reveals patterns in data.
How to Prevent BREACH Attacks
- Disable HTTP Compression for Sensitive Data: This is the most effective solution. If you compress responses containing sensitive information (like passwords, credit card details, or personal data), disable compression for those specific routes/endpoints.
- Apache: In your virtual host configuration file (.htaccess or httpd.conf), add:
<FilesMatch "(sensitive-route|sensitive-file)"> Header set Vary Accept-Encoding Deflate off </FilesMatch> - Nginx: In your server block configuration file, add:
location ~ ^/sensitive-route { gzip off; }
- Apache: In your virtual host configuration file (.htaccess or httpd.conf), add:
- Use HTTPS (SSL/TLS): Encrypting all traffic with HTTPS prevents attackers from intercepting and analysing the HTTP responses. This is a fundamental security practice.
- Add Random Tokens: Injecting a random, unpredictable token into each request before processing can disrupt the attack’s ability to correlate requests and responses.
- This makes it harder for attackers to predict the response size based on their injected content.
- The token should be unique per session or request.
- Example (in PHP):
<?php $token = bin2hex(random_bytes(16)); session_start(); $_SESSION['breach_token'] = $token; echo "<input type='hidden' name='breach_token' value='$token'>"; ?>
- Limit Response Size: Reducing the maximum size of HTTP responses can limit the amount of information an attacker can extract.
- Content Security Policy (CSP): While not a direct BREACH mitigation, CSP can help prevent other attacks that might be used in conjunction with BREACH.
Testing for BREACH Vulnerability
There are online tools and scripts available to test your website for BREACH vulnerability. Search for ‘BREACH attack testing tool’ to find them.
Important Considerations
- Disabling compression entirely can impact performance, so only disable it for sensitive data.
- Regularly review and update your security practices.