 |
Inicial ▼ Bookkeeping
Online ▼ Auditorias ▼
DNS
Administrado ▼
Acerca de DNS
Ordenar/Renovar
Preguntas Frecuentes
AUP
Dynamic DNS Clients
Configurar Dominios Dynamic DNS Update Password Monitoreo
de Redes ▼
Enterprise
Avanzado
Estándarr
Prueba
Preguntas Frecuentes
Resumen de Precio/Funciones
Ordenar
Muestras
Configure/Status Alert Profiles | ||
| ID de Prueba: | 1.3.6.1.4.1.25623.1.0.117414 |
| Categoría: | SSL and TLS |
| Título: | SSL/TLS: BREACH attack against HTTP compression |
| Resumen: | SSL/TLS connections are vulnerable to the 'BREACH' (Browser; Reconnaissance & Exfiltration via Adaptive Compression of Hypertext) attack. |
| Descripción: | Summary: SSL/TLS connections are vulnerable to the 'BREACH' (Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext) attack. Vulnerability Insight: Angelo Prado, Neal Harris and Yoel Gluck reported that SSL/TLS attacks are still viable via a 'BREACH' (Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext) attack, which they describe as: While CRIME was mitigated by disabling TLS/SPDY compression (and by modifying gzip to allow for explicit separation of compression contexts in SPDY), BREACH attacks HTTP responses. These are compressed using the common HTTP compression, which is much more common than TLS-level compression. This allows essentially the same attack demonstrated by Duong and Rizzo, but without relying on TLS-level compression (as they anticipated). It is important to note that the attack is agnostic to the version of TLS/SSL, and does not require TLS-layer compression. Additionally, the attack works against any cipher suite. Against a stream cipher, the attack is simpler: The difference in sizes across response bodies is much more granular in this case. If a block cipher is used, additional work must be done to align the output to the cipher text blocks. Vulnerability Impact: The flaw makes it easier for man-in-the-middle attackers to obtain plaintext secret values. Affected Software/OS: BREACH is a category of vulnerabilities and not a specific instance affecting a specific piece of software. To be vulnerable, a web application must: - Be served from a server that uses HTTP-level compression - Reflect user-input in HTTP response bodies - Reflect a secret (such as a CSRF token) in HTTP response bodies Solution: The following mitigation possibilities are available: 1. Disabling HTTP compression 2. Separating secrets from user input 3. Randomizing secrets per request 4. Masking secrets (effectively randomizing by XORing with a random secret per request) 5. Protecting vulnerable pages with CSRF 6. Length hiding (by adding random number of bytes to the responses) 7. Rate-limiting the requests Note: The mitigations are ordered by effectiveness (not by their practicality - as this may differ from one application to another). CVSS Score: 4.3 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N |
| Referencia Cruzada: |
Common Vulnerability Exposure (CVE) ID: CVE-2013-3587 http://breachattack.com/ http://github.com/meldium/breach-mitigation-rails http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407 http://slashdot.org/story/13/08/05/233216 http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf http://www.kb.cert.org/vuls/id/987798 https://bugzilla.redhat.com/show_bug.cgi?id=995168 https://hackerone.com/reports/254895 https://support.f5.com/csp/article/K14634 https://www.blackhat.com/us-13/briefings.html#Prado https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1@%3Cdev.httpd.apache.org%3E |
| Copyright | Copyright (C) 2021 Greenbone AG |
| Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa. Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora. |