The Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH)
attack is a compression side channel attack, which targets information compressed in HTTP
responses through HTTP compression.
HTTP compression is normally performed through the Deflate algorithm, which is a data compression
algorithm that is made up of a combination of Huffman coding and LZ77 compression. When
compressing data using this algorithm, any repeated byte sequences in the input are detected and
are not repeated in the output. Instead, the repeated byte sequence is stored only once, along with
pointers that point out where the same sequence is found again.
Therefore, even when encrypted, the length of the compressed data is still visible and this is one of
the fundamental elements that makes the BREACH attack possible. Furthermore, for an application
to be vulnerable to the BREACH attack it must be served from a server using HTTP compression,
and it must also include a user-input and a secret, such as an anti Cross Site Request Forgery
(anti-CSRF) token, in the HTTP response body. An attacker exploiting a BREACH attack vulnerability
would need to have a means to view the victim’s traffic and also have the ability to enable the victim
to send HTTP requests to the vulnerable server, which could be done by persuading the victim to
visit a malicious site that is controlled by the attacker. This site would be crafted in a way that does
not arouse suspicion from the victim’s end.
