ToxicBunny

Honorary Master
Joined
Apr 8, 2006
Messages
83,185
Is a very interesting method..

But it doesn't reveal the SSL traffic (for those who don't feel like reading the article), it deduces things from changes in size of packets returned etc etc...
 

Pada

Executive Member
Joined
Feb 18, 2009
Messages
8,171
This was one of the better briefings/demos that I saw at Black Hat.

Technically it cannot decrypt your SSL/TLS/HTTPS data. Its a XSS (Cross Site Scripting) exploit where they can brute force secrets/tokens stored in the HTML source.

It was pretty impressive that they brute force a session token for Microsoft Outlook Web Access within 40 seconds and less than 1200 web requests!
The other cool thing about this attack is that they don't have to do a complicated MITM (man in the middle) attack to obtain those secrets.

This hack, in combination with other browser history discovery hacks that they demonstrated at Black Hat, would be pretty potent!

What they didn't say clearly in this news post, is that this attack requires the browser and webserver using compression. So if you disable compression on your browser, you will mitigate this attack. The same goes for disabling compression on the web server (both for content and TLS).
 
Last edited:

Gnome

Executive Member
Joined
Sep 19, 2005
Messages
5,786
Hmm, interesting.

It is probably possible to negate this by adding an element of randomness to your content before compressing. Use a secure number generator, add some kind of arbitrary data, then compress.
 

Pada

Executive Member
Joined
Feb 18, 2009
Messages
8,171
Hmm, interesting.

It is probably possible to negate this by adding an element of randomness to your content before compressing. Use a secure number generator, add some kind of arbitrary data, then compress.
Sure you can, but that would only prolong the process. Doing this is like #6 on their mitigation list.

Read more on http://breachattack.com/
The mitigations are ordered by effectiveness (not by their practicality - as this may differ from one application to another).

  1. Disabling HTTP compression
  2. Separating secrets from user input
  3. Randomizing secrets per request
  4. Masking secrets (effectively randomizing by XORing with a random secret per request)
  5. Protecting vulnerable pages with CSRF
  6. Length hiding (by adding random amount of bytes to the responses)
  7. Rate-limiting the requests
 
Top