An nginx module to prevent generic compression oracles
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
cf-nocompress
example_attack
.gitignore
LICENSE
README.md
nginx.patch

README.md

cf-nocompress

The repository contains a proof of concept mitigation for compression oracle attacks as detailed here. The repository is split into two folders. The first, cf-nocompress, contains an NGINX plugin that uses selective compression to mitigate such attacks. The second, example_attack, is a tool which can verify if a website is vulnerable to the attack.

The websites https://compression.website/ and https://compression.website/unsafe/ demonstrate this mitigation in action.