From a01fd3406634570edc9dc064504e5399e767dcf6 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Sun, 20 Jun 2021 17:23:56 +0100 Subject: [PATCH 01/23] Create compression-leaks --- content/docs/attacks/compression-leaks | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 content/docs/attacks/compression-leaks diff --git a/content/docs/attacks/compression-leaks b/content/docs/attacks/compression-leaks new file mode 100644 index 000000000..d0c5ee3cc --- /dev/null +++ b/content/docs/attacks/compression-leaks @@ -0,0 +1,24 @@ ++++ +title = "Compression leaks" +description = "" +date = "2020-10-08" +category = [ + "Attack", +] +abuse = [ + "Window References", +] +defenses = [ + "Cross-Origin-Opener-Policy", + "SameSite Cookies" +] +menu = "main" +weight = 2 ++++ +When HTTP compression is used and theres reflected input such as from the URL it maybe possible to leak the contents of a website. +This is because when content is repeated it is more compressible this results in a smaler download that is detectable using timing attacks such as using the window "unload" event. + +## HIST +An example of this attack is [HIST](https://www.blackhat.com/docs/us-16/materials/us-16-VanGoethem-HEIST-HTTP-Encrypted-Information-Can-Be-Stolen-Through-TCP-Windows.pdf) +The primany defense for this attack is to disable third-party cookies however window navgation timings are not affected by this. +So also setting a Cross-Origin-Opener-Policy may make this attack harder since it prevents a window from being reused after a navagtion away has been completed. From ec7f4c134842f8595882d30c11f35248efc760c0 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Sun, 20 Jun 2021 17:49:06 +0100 Subject: [PATCH 02/23] Update compression-leaks --- content/docs/attacks/compression-leaks | 1 + 1 file changed, 1 insertion(+) diff --git a/content/docs/attacks/compression-leaks b/content/docs/attacks/compression-leaks index d0c5ee3cc..343ade9b6 100644 --- a/content/docs/attacks/compression-leaks +++ b/content/docs/attacks/compression-leaks @@ -17,6 +17,7 @@ weight = 2 +++ When HTTP compression is used and theres reflected input such as from the URL it maybe possible to leak the contents of a website. This is because when content is repeated it is more compressible this results in a smaler download that is detectable using timing attacks such as using the window "unload" event. +The benfit of this is that the size change is controled by the attacker the server always respond with same responce. ## HIST An example of this attack is [HIST](https://www.blackhat.com/docs/us-16/materials/us-16-VanGoethem-HEIST-HTTP-Encrypted-Information-Can-Be-Stolen-Through-TCP-Windows.pdf) From 010e8c6c9d56187d28a74cd0083cb87894d3e6eb Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Sun, 20 Jun 2021 17:49:49 +0100 Subject: [PATCH 03/23] Update compression-leaks --- content/docs/attacks/compression-leaks | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/attacks/compression-leaks b/content/docs/attacks/compression-leaks index 343ade9b6..fbe249e80 100644 --- a/content/docs/attacks/compression-leaks +++ b/content/docs/attacks/compression-leaks @@ -17,7 +17,7 @@ weight = 2 +++ When HTTP compression is used and theres reflected input such as from the URL it maybe possible to leak the contents of a website. This is because when content is repeated it is more compressible this results in a smaler download that is detectable using timing attacks such as using the window "unload" event. -The benfit of this is that the size change is controled by the attacker the server always respond with same responce. +The benfit of this is that the size change is controled by the attacker so the server can always respond with same responce. ## HIST An example of this attack is [HIST](https://www.blackhat.com/docs/us-16/materials/us-16-VanGoethem-HEIST-HTTP-Encrypted-Information-Can-Be-Stolen-Through-TCP-Windows.pdf) From ad505e876af937cfeaddebc1e5b88b1daa13ff91 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Sun, 20 Jun 2021 17:52:49 +0100 Subject: [PATCH 04/23] Rename compression-leaks to compression-leaks.md --- content/docs/attacks/{compression-leaks => compression-leaks.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/docs/attacks/{compression-leaks => compression-leaks.md} (100%) diff --git a/content/docs/attacks/compression-leaks b/content/docs/attacks/compression-leaks.md similarity index 100% rename from content/docs/attacks/compression-leaks rename to content/docs/attacks/compression-leaks.md From fa1e91cc5317d8ded57ecace624a91ecd5722149 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Sun, 20 Jun 2021 18:58:00 +0100 Subject: [PATCH 05/23] Update compression-leaks.md --- content/docs/attacks/compression-leaks.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/docs/attacks/compression-leaks.md b/content/docs/attacks/compression-leaks.md index fbe249e80..8255ffc5b 100644 --- a/content/docs/attacks/compression-leaks.md +++ b/content/docs/attacks/compression-leaks.md @@ -23,3 +23,7 @@ The benfit of this is that the size change is controled by the attacker so the s An example of this attack is [HIST](https://www.blackhat.com/docs/us-16/materials/us-16-VanGoethem-HEIST-HTTP-Encrypted-Information-Can-Be-Stolen-Through-TCP-Windows.pdf) The primany defense for this attack is to disable third-party cookies however window navgation timings are not affected by this. So also setting a Cross-Origin-Opener-Policy may make this attack harder since it prevents a window from being reused after a navagtion away has been completed. + +## Projects +There are multiple tools to exploit this behaviour such as [decrypto-org/rupture](https://github.com/decrypto-org/rupture) +[nealharris/BREACH](https://github.com/nealharris/BREACH) From c54fb5e04907343b29bef97cdd5d655c96478465 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Sun, 20 Jun 2021 19:00:39 +0100 Subject: [PATCH 06/23] Update compression-leaks.md --- content/docs/attacks/compression-leaks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/attacks/compression-leaks.md b/content/docs/attacks/compression-leaks.md index 8255ffc5b..7ae24ab8a 100644 --- a/content/docs/attacks/compression-leaks.md +++ b/content/docs/attacks/compression-leaks.md @@ -25,5 +25,5 @@ The primany defense for this attack is to disable third-party cookies however wi So also setting a Cross-Origin-Opener-Policy may make this attack harder since it prevents a window from being reused after a navagtion away has been completed. ## Projects -There are multiple tools to exploit this behaviour such as [decrypto-org/rupture](https://github.com/decrypto-org/rupture) +There are multiple tools to exploit this behaviour such as [decrypto-org/rupture](https://github.com/decrypto-org/rupture) and [nealharris/BREACH](https://github.com/nealharris/BREACH) From 58688551dda23cfd9646bbd4c504bbf6cf20f303 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Tue, 22 Jun 2021 15:22:24 +0100 Subject: [PATCH 07/23] Update compression-leaks.md --- content/docs/attacks/compression-leaks.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/content/docs/attacks/compression-leaks.md b/content/docs/attacks/compression-leaks.md index 7ae24ab8a..208fe5bef 100644 --- a/content/docs/attacks/compression-leaks.md +++ b/content/docs/attacks/compression-leaks.md @@ -15,7 +15,7 @@ defenses = [ menu = "main" weight = 2 +++ -When HTTP compression is used and theres reflected input such as from the URL it maybe possible to leak the contents of a website. +When HTTP compression is used and theres reflected input such as from the URL or chat messages it maybe possible to leak the contents of a website. This is because when content is repeated it is more compressible this results in a smaler download that is detectable using timing attacks such as using the window "unload" event. The benfit of this is that the size change is controled by the attacker so the server can always respond with same responce. @@ -24,6 +24,10 @@ An example of this attack is [HIST](https://www.blackhat.com/docs/us-16/material The primany defense for this attack is to disable third-party cookies however window navgation timings are not affected by this. So also setting a Cross-Origin-Opener-Policy may make this attack harder since it prevents a window from being reused after a navagtion away has been completed. +## BREACH +An example of this attack for leaking HTTPS traffic is [BREACH](http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf) this uses a network sniffer to perform the timings attacks. + + ## Projects There are multiple tools to exploit this behaviour such as [decrypto-org/rupture](https://github.com/decrypto-org/rupture) and [nealharris/BREACH](https://github.com/nealharris/BREACH) From 060c1184fafd7f7700ab9d886b3c832126df12d6 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Tue, 22 Jun 2021 15:26:17 +0100 Subject: [PATCH 08/23] Update compression-leaks.md --- content/docs/attacks/compression-leaks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/attacks/compression-leaks.md b/content/docs/attacks/compression-leaks.md index 208fe5bef..95a37247a 100644 --- a/content/docs/attacks/compression-leaks.md +++ b/content/docs/attacks/compression-leaks.md @@ -15,7 +15,7 @@ defenses = [ menu = "main" weight = 2 +++ -When HTTP compression is used and theres reflected input such as from the URL or chat messages it maybe possible to leak the contents of a website. +When compression is used and theres reflected input such as from the URL or chat messages it maybe possible to leak the contents of a website. This is because when content is repeated it is more compressible this results in a smaler download that is detectable using timing attacks such as using the window "unload" event. The benfit of this is that the size change is controled by the attacker so the server can always respond with same responce. From 0033a3417f5f051866cacd8093a9e9be31021d76 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Tue, 22 Jun 2021 15:27:29 +0100 Subject: [PATCH 09/23] Update compression-leaks.md --- content/docs/attacks/compression-leaks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/attacks/compression-leaks.md b/content/docs/attacks/compression-leaks.md index 95a37247a..bf62d6275 100644 --- a/content/docs/attacks/compression-leaks.md +++ b/content/docs/attacks/compression-leaks.md @@ -16,7 +16,7 @@ menu = "main" weight = 2 +++ When compression is used and theres reflected input such as from the URL or chat messages it maybe possible to leak the contents of a website. -This is because when content is repeated it is more compressible this results in a smaler download that is detectable using timing attacks such as using the window "unload" event. +This is because when content is repeated it is more compressible which results in a smaler download that is detectable using timing attacks such as using the window "unload" event. The benfit of this is that the size change is controled by the attacker so the server can always respond with same responce. ## HIST From 2d54ef8b5cd259cbdf1c0cb2c7f34fc675bb6b6f Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Tue, 22 Jun 2021 15:34:42 +0100 Subject: [PATCH 10/23] Update compression-leaks.md --- content/docs/attacks/compression-leaks.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/content/docs/attacks/compression-leaks.md b/content/docs/attacks/compression-leaks.md index bf62d6275..cb0d7bf50 100644 --- a/content/docs/attacks/compression-leaks.md +++ b/content/docs/attacks/compression-leaks.md @@ -27,7 +27,12 @@ So also setting a Cross-Origin-Opener-Policy may make this attack harder since i ## BREACH An example of this attack for leaking HTTPS traffic is [BREACH](http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf) this uses a network sniffer to perform the timings attacks. - ## Projects There are multiple tools to exploit this behaviour such as [decrypto-org/rupture](https://github.com/decrypto-org/rupture) and [nealharris/BREACH](https://github.com/nealharris/BREACH) + +## Defenses +- Seprate requests for secrets +- Disable compression +- SameSite cookies +- Cross-Origin-Opener-Policy From 615b7c3ac58a1618ccaa6fc64bbc73c794f10782 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Tue, 22 Jun 2021 15:36:40 +0100 Subject: [PATCH 11/23] Update compression-leaks.md --- content/docs/attacks/compression-leaks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/attacks/compression-leaks.md b/content/docs/attacks/compression-leaks.md index cb0d7bf50..618644a1d 100644 --- a/content/docs/attacks/compression-leaks.md +++ b/content/docs/attacks/compression-leaks.md @@ -25,7 +25,7 @@ The primany defense for this attack is to disable third-party cookies however wi So also setting a Cross-Origin-Opener-Policy may make this attack harder since it prevents a window from being reused after a navagtion away has been completed. ## BREACH -An example of this attack for leaking HTTPS traffic is [BREACH](http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf) this uses a network sniffer to perform the timings attacks. +An example of this attack for leaking HTTPS traffic is [BREACH](http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf) this uses a network sniffer to get the response size. ## Projects There are multiple tools to exploit this behaviour such as [decrypto-org/rupture](https://github.com/decrypto-org/rupture) and From aa3518741c3d45ec4bb7ccef84f8ca6337ee4e92 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Tue, 22 Jun 2021 16:02:56 +0100 Subject: [PATCH 12/23] Update compression-leaks.md --- content/docs/attacks/compression-leaks.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/docs/attacks/compression-leaks.md b/content/docs/attacks/compression-leaks.md index 618644a1d..a499f5d7a 100644 --- a/content/docs/attacks/compression-leaks.md +++ b/content/docs/attacks/compression-leaks.md @@ -32,7 +32,7 @@ There are multiple tools to exploit this behaviour such as [decrypto-org/rupture [nealharris/BREACH](https://github.com/nealharris/BREACH) ## Defenses -- Seprate requests for secrets - Disable compression -- SameSite cookies -- Cross-Origin-Opener-Policy +- Using seprate requests for secrets prevents an attacker from injecting data. +- SameSite cookies prevents cookies being sent in cross origin elements. +- Cross-Origin-Opener-Policy prevents window reuse for timing attacks. From c77df3121f04257ef9dc392011e1157baca4557a Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Tue, 22 Jun 2021 16:32:14 +0100 Subject: [PATCH 13/23] Update compression-leaks.md --- content/docs/attacks/compression-leaks.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/content/docs/attacks/compression-leaks.md b/content/docs/attacks/compression-leaks.md index a499f5d7a..8bce17dd8 100644 --- a/content/docs/attacks/compression-leaks.md +++ b/content/docs/attacks/compression-leaks.md @@ -27,6 +27,9 @@ So also setting a Cross-Origin-Opener-Policy may make this attack harder since i ## BREACH An example of this attack for leaking HTTPS traffic is [BREACH](http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf) this uses a network sniffer to get the response size. +## CRIME +Migrated for SPDY and TLS-level compression. + ## Projects There are multiple tools to exploit this behaviour such as [decrypto-org/rupture](https://github.com/decrypto-org/rupture) and [nealharris/BREACH](https://github.com/nealharris/BREACH) From d2aa2c80a65086456686d2b0e5416494cae0a191 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Tue, 22 Jun 2021 18:06:30 +0100 Subject: [PATCH 14/23] Update compression-leaks.md --- content/docs/attacks/compression-leaks.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/content/docs/attacks/compression-leaks.md b/content/docs/attacks/compression-leaks.md index 8bce17dd8..075670388 100644 --- a/content/docs/attacks/compression-leaks.md +++ b/content/docs/attacks/compression-leaks.md @@ -19,15 +19,18 @@ When compression is used and theres reflected input such as from the URL or chat This is because when content is repeated it is more compressible which results in a smaler download that is detectable using timing attacks such as using the window "unload" event. The benfit of this is that the size change is controled by the attacker so the server can always respond with same responce. -## HIST +## HIST (2016) An example of this attack is [HIST](https://www.blackhat.com/docs/us-16/materials/us-16-VanGoethem-HEIST-HTTP-Encrypted-Information-Can-Be-Stolen-Through-TCP-Windows.pdf) The primany defense for this attack is to disable third-party cookies however window navgation timings are not affected by this. So also setting a Cross-Origin-Opener-Policy may make this attack harder since it prevents a window from being reused after a navagtion away has been completed. -## BREACH +## BREACH (2013) An example of this attack for leaking HTTPS traffic is [BREACH](http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf) this uses a network sniffer to get the response size. -## CRIME +## TIME (2013) +Simular to HIST, [TIME](https://owasp.org/www-pdf-archive/A_Perfect_CRIME_TIME_Will_Tell_-_Tal_Beery.pdf) used timings attacks to detect the size differences. + +## CRIME (2012) Migrated for SPDY and TLS-level compression. ## Projects From ecb61acabca922d3dda75bb0b69dbcfc9802d719 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Tue, 22 Jun 2021 18:09:25 +0100 Subject: [PATCH 15/23] Update compression-leaks.md --- content/docs/attacks/compression-leaks.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/content/docs/attacks/compression-leaks.md b/content/docs/attacks/compression-leaks.md index 075670388..458e81af7 100644 --- a/content/docs/attacks/compression-leaks.md +++ b/content/docs/attacks/compression-leaks.md @@ -8,27 +8,27 @@ category = [ abuse = [ "Window References", ] -defenses = [ +defences = [ "Cross-Origin-Opener-Policy", "SameSite Cookies" ] menu = "main" weight = 2 +++ -When compression is used and theres reflected input such as from the URL or chat messages it maybe possible to leak the contents of a website. -This is because when content is repeated it is more compressible which results in a smaler download that is detectable using timing attacks such as using the window "unload" event. -The benfit of this is that the size change is controled by the attacker so the server can always respond with same responce. +When compression is used and there’s reflected input such as from the URL or chat messages it may be possible to leak the contents of a website. +This is because when content is repeated it is more compressible which results in a smaller download that is detectable using timing attacks such as using the window "unload" event. +The benefit of this is that the size change is controlled by the attacker so the server can always respond with same response. ## HIST (2016) An example of this attack is [HIST](https://www.blackhat.com/docs/us-16/materials/us-16-VanGoethem-HEIST-HTTP-Encrypted-Information-Can-Be-Stolen-Through-TCP-Windows.pdf) -The primany defense for this attack is to disable third-party cookies however window navgation timings are not affected by this. -So also setting a Cross-Origin-Opener-Policy may make this attack harder since it prevents a window from being reused after a navagtion away has been completed. +The primary defence for this attack is to disable third-party cookies however window navigation timings are not affected by this. +So also setting a Cross-Origin-Opener-Policy may make this attack harder since it prevents a window from being reused after a navigation away has been completed. ## BREACH (2013) An example of this attack for leaking HTTPS traffic is [BREACH](http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf) this uses a network sniffer to get the response size. ## TIME (2013) -Simular to HIST, [TIME](https://owasp.org/www-pdf-archive/A_Perfect_CRIME_TIME_Will_Tell_-_Tal_Beery.pdf) used timings attacks to detect the size differences. +Similar to HIST, [TIME](https://owasp.org/www-pdf-archive/A_Perfect_CRIME_TIME_Will_Tell_-_Tal_Beery.pdf) used timings attacks to detect the size differences. ## CRIME (2012) Migrated for SPDY and TLS-level compression. @@ -37,8 +37,8 @@ Migrated for SPDY and TLS-level compression. There are multiple tools to exploit this behaviour such as [decrypto-org/rupture](https://github.com/decrypto-org/rupture) and [nealharris/BREACH](https://github.com/nealharris/BREACH) -## Defenses +## Defences - Disable compression -- Using seprate requests for secrets prevents an attacker from injecting data. +- Using separate requests for secrets prevents an attacker from injecting data. - SameSite cookies prevents cookies being sent in cross origin elements. - Cross-Origin-Opener-Policy prevents window reuse for timing attacks. From 288228feb3dc3c7e51c1b906f8a5f84aa4ed393f Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Wed, 7 Jul 2021 02:12:59 +0100 Subject: [PATCH 16/23] Update compression-leaks.md --- content/docs/attacks/compression-leaks.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/docs/attacks/compression-leaks.md b/content/docs/attacks/compression-leaks.md index 458e81af7..9f5a3fae0 100644 --- a/content/docs/attacks/compression-leaks.md +++ b/content/docs/attacks/compression-leaks.md @@ -21,6 +21,7 @@ The benefit of this is that the size change is controlled by the attacker so the ## HIST (2016) An example of this attack is [HIST](https://www.blackhat.com/docs/us-16/materials/us-16-VanGoethem-HEIST-HTTP-Encrypted-Information-Can-Be-Stolen-Through-TCP-Windows.pdf) +this used timing attacks so that no MITM is needed, The primary defence for this attack is to disable third-party cookies however window navigation timings are not affected by this. So also setting a Cross-Origin-Opener-Policy may make this attack harder since it prevents a window from being reused after a navigation away has been completed. From 9505704f0011ac814ae14f7914a10a446772fce1 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Fri, 23 Jul 2021 23:00:44 +0100 Subject: [PATCH 17/23] Added CSRF to prevent attacks --- content/docs/attacks/compression-leaks.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/content/docs/attacks/compression-leaks.md b/content/docs/attacks/compression-leaks.md index 9f5a3fae0..b8e11b52d 100644 --- a/content/docs/attacks/compression-leaks.md +++ b/content/docs/attacks/compression-leaks.md @@ -23,7 +23,6 @@ The benefit of this is that the size change is controlled by the attacker so the An example of this attack is [HIST](https://www.blackhat.com/docs/us-16/materials/us-16-VanGoethem-HEIST-HTTP-Encrypted-Information-Can-Be-Stolen-Through-TCP-Windows.pdf) this used timing attacks so that no MITM is needed, The primary defence for this attack is to disable third-party cookies however window navigation timings are not affected by this. -So also setting a Cross-Origin-Opener-Policy may make this attack harder since it prevents a window from being reused after a navigation away has been completed. ## BREACH (2013) An example of this attack for leaking HTTPS traffic is [BREACH](http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf) this uses a network sniffer to get the response size. @@ -39,7 +38,7 @@ There are multiple tools to exploit this behaviour such as [decrypto-org/rupture [nealharris/BREACH](https://github.com/nealharris/BREACH) ## Defences -- Disable compression -- Using separate requests for secrets prevents an attacker from injecting data. +- Disable compression. +- Using separate requests for secrets prevents an attacker from injecting data and with CSRF protection it can also prevent timing attacks with the unload event. - SameSite cookies prevents cookies being sent in cross origin elements. - Cross-Origin-Opener-Policy prevents window reuse for timing attacks. From cce64e78c9b90ddca3f33aaed4c589ae9305f807 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Sun, 25 Jul 2021 15:19:55 +0100 Subject: [PATCH 18/23] Add network sniffer to summary --- content/docs/attacks/compression-leaks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/attacks/compression-leaks.md b/content/docs/attacks/compression-leaks.md index b8e11b52d..df88ed143 100644 --- a/content/docs/attacks/compression-leaks.md +++ b/content/docs/attacks/compression-leaks.md @@ -16,7 +16,7 @@ menu = "main" weight = 2 +++ When compression is used and there’s reflected input such as from the URL or chat messages it may be possible to leak the contents of a website. -This is because when content is repeated it is more compressible which results in a smaller download that is detectable using timing attacks such as using the window "unload" event. +This is because when content is repeated it is more compressible which results in a smaller download that is detectable using a network sniffer for a [Chosen-plaintext attack](https://en.wikipedia.org/wiki/Chosen-plaintext_attack) or with timing attacks such as using the window "unload" event. The benefit of this is that the size change is controlled by the attacker so the server can always respond with same response. ## HIST (2016) From e8428ec31aa162cf68a55df64b40205222422c37 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Fri, 10 Sep 2021 14:31:12 +0100 Subject: [PATCH 19/23] Update compression-leaks.md --- content/docs/attacks/compression-leaks.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/docs/attacks/compression-leaks.md b/content/docs/attacks/compression-leaks.md index df88ed143..d433e88d3 100644 --- a/content/docs/attacks/compression-leaks.md +++ b/content/docs/attacks/compression-leaks.md @@ -17,7 +17,7 @@ weight = 2 +++ When compression is used and there’s reflected input such as from the URL or chat messages it may be possible to leak the contents of a website. This is because when content is repeated it is more compressible which results in a smaller download that is detectable using a network sniffer for a [Chosen-plaintext attack](https://en.wikipedia.org/wiki/Chosen-plaintext_attack) or with timing attacks such as using the window "unload" event. -The benefit of this is that the size change is controlled by the attacker so the server can always respond with same response. +The benefit of this is that the size change is controlled by the attacker so the server can always respond with same response excluding the reflected content from the attacker. ## HIST (2016) An example of this attack is [HIST](https://www.blackhat.com/docs/us-16/materials/us-16-VanGoethem-HEIST-HTTP-Encrypted-Information-Can-Be-Stolen-Through-TCP-Windows.pdf) @@ -39,6 +39,6 @@ There are multiple tools to exploit this behaviour such as [decrypto-org/rupture ## Defences - Disable compression. -- Using separate requests for secrets prevents an attacker from injecting data and with CSRF protection it can also prevent timing attacks with the unload event. -- SameSite cookies prevents cookies being sent in cross origin elements. +- Using separate requests for secrets prevents an attacker from injecting data and with CSRF protection it can also prevent timing attacks. +- SameSite cookies prevents cookies being sent in cross origin requests. - Cross-Origin-Opener-Policy prevents window reuse for timing attacks. From ed4065982119a231576242d9f96081c2ca36dff1 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Tue, 1 Feb 2022 10:33:21 +0000 Subject: [PATCH 20/23] Update compression-leaks.md --- content/docs/attacks/compression-leaks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/attacks/compression-leaks.md b/content/docs/attacks/compression-leaks.md index d433e88d3..c6ae1981b 100644 --- a/content/docs/attacks/compression-leaks.md +++ b/content/docs/attacks/compression-leaks.md @@ -40,5 +40,5 @@ There are multiple tools to exploit this behaviour such as [decrypto-org/rupture ## Defences - Disable compression. - Using separate requests for secrets prevents an attacker from injecting data and with CSRF protection it can also prevent timing attacks. -- SameSite cookies prevents cookies being sent in cross origin requests. +- SameSite cookies prevents cookies being sent in cross site requests. - Cross-Origin-Opener-Policy prevents window reuse for timing attacks. From 63f439af66b8979215bedec79293903d97d9d772 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Tue, 1 Feb 2022 10:58:15 +0000 Subject: [PATCH 21/23] Update compression-leaks.md --- content/docs/attacks/compression-leaks.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/docs/attacks/compression-leaks.md b/content/docs/attacks/compression-leaks.md index c6ae1981b..fe8297ae6 100644 --- a/content/docs/attacks/compression-leaks.md +++ b/content/docs/attacks/compression-leaks.md @@ -19,8 +19,8 @@ When compression is used and there’s reflected input such as from the URL or c This is because when content is repeated it is more compressible which results in a smaller download that is detectable using a network sniffer for a [Chosen-plaintext attack](https://en.wikipedia.org/wiki/Chosen-plaintext_attack) or with timing attacks such as using the window "unload" event. The benefit of this is that the size change is controlled by the attacker so the server can always respond with same response excluding the reflected content from the attacker. -## HIST (2016) -An example of this attack is [HIST](https://www.blackhat.com/docs/us-16/materials/us-16-VanGoethem-HEIST-HTTP-Encrypted-Information-Can-Be-Stolen-Through-TCP-Windows.pdf) +## HEIST (2016) +An example of this attack is [HEIST](https://www.blackhat.com/docs/us-16/materials/us-16-VanGoethem-HEIST-HTTP-Encrypted-Information-Can-Be-Stolen-Through-TCP-Windows.pdf) this used timing attacks so that no MITM is needed, The primary defence for this attack is to disable third-party cookies however window navigation timings are not affected by this. @@ -28,7 +28,7 @@ The primary defence for this attack is to disable third-party cookies however wi An example of this attack for leaking HTTPS traffic is [BREACH](http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf) this uses a network sniffer to get the response size. ## TIME (2013) -Similar to HIST, [TIME](https://owasp.org/www-pdf-archive/A_Perfect_CRIME_TIME_Will_Tell_-_Tal_Beery.pdf) used timings attacks to detect the size differences. +Similar to HEIST, [TIME](https://owasp.org/www-pdf-archive/A_Perfect_CRIME_TIME_Will_Tell_-_Tal_Beery.pdf) used timings attacks to detect the size differences. ## CRIME (2012) Migrated for SPDY and TLS-level compression. From 86899c7b4739a4e366902824f7f1c9ba0600bc3d Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Tue, 1 Feb 2022 11:04:06 +0000 Subject: [PATCH 22/23] Update compression-leaks.md --- content/docs/attacks/compression-leaks.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/content/docs/attacks/compression-leaks.md b/content/docs/attacks/compression-leaks.md index fe8297ae6..b1af75a3d 100644 --- a/content/docs/attacks/compression-leaks.md +++ b/content/docs/attacks/compression-leaks.md @@ -21,14 +21,15 @@ The benefit of this is that the size change is controlled by the attacker so the ## HEIST (2016) An example of this attack is [HEIST](https://www.blackhat.com/docs/us-16/materials/us-16-VanGoethem-HEIST-HTTP-Encrypted-Information-Can-Be-Stolen-Through-TCP-Windows.pdf) -this used timing attacks so that no MITM is needed, -The primary defence for this attack is to disable third-party cookies however window navigation timings are not affected by this. +this used timing attacks so that no MITM is needed, +The primary defence for this attack is to disable third-party cookies. ## BREACH (2013) An example of this attack for leaking HTTPS traffic is [BREACH](http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf) this uses a network sniffer to get the response size. ## TIME (2013) -Similar to HEIST, [TIME](https://owasp.org/www-pdf-archive/A_Perfect_CRIME_TIME_Will_Tell_-_Tal_Beery.pdf) used timings attacks to detect the size differences. +Similar to HEIST, [TIME](https://owasp.org/www-pdf-archive/A_Perfect_CRIME_TIME_Will_Tell_-_Tal_Beery.pdf) used timings attacks to detect the size differences. +The primary defence for this attack is to disable third-party cookies however window navigation timings are not affected by this. ## CRIME (2012) Migrated for SPDY and TLS-level compression. From 77c5cbe5a69882655969c469c727b356e69595f8 Mon Sep 17 00:00:00 2001 From: NDevTK <31563761+NDevTK@users.noreply.github.com> Date: Tue, 1 Feb 2022 11:11:07 +0000 Subject: [PATCH 23/23] Update compression-leaks.md --- content/docs/attacks/compression-leaks.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/docs/attacks/compression-leaks.md b/content/docs/attacks/compression-leaks.md index b1af75a3d..59f2595f7 100644 --- a/content/docs/attacks/compression-leaks.md +++ b/content/docs/attacks/compression-leaks.md @@ -22,6 +22,7 @@ The benefit of this is that the size change is controlled by the attacker so the ## HEIST (2016) An example of this attack is [HEIST](https://www.blackhat.com/docs/us-16/materials/us-16-VanGoethem-HEIST-HTTP-Encrypted-Information-Can-Be-Stolen-Through-TCP-Windows.pdf) this used timing attacks so that no MITM is needed, +Unlike TIME the attack relies on knowing the time that the first byte arrived (i.e. when fetch() resolves), as well as when the full response has been downloaded (e.g. via responseEnd); The primary defence for this attack is to disable third-party cookies. ## BREACH (2013)