breach-https
old python script to demo breach-https vulnerbility
git clone https://9o.is/git/breach-https.git
slides.html
(6752B)
1 <!DOCTYPE html>
2 <html>
3 <head>
4 <title>BREACH</title>
5
6 <meta charset='utf-8'>
7 <script
8 src='http://html5slides.googlecode.com/svn/trunk/slides.js'></script>
9 </head>
10
11 <style>
12 /* Your individual styles here, or just use inline styles if that’s
13 what you want. */
14
15 .biglogo {
16 background: url("images/logo_breach.png") no-repeat scroll 50% 50% white !important;
17 }
18 .slides.template-default > article:not(.nobackground):not(.biglogo) {
19 background: url("images/logo_breach.png") no-repeat scroll 710px 625px white !important;
20 }
21 </style>
22
23 <body style='display: none'>
24
25 <section class='slides layout-regular template-default'>
26
27 <!-- Your slides (<article>s) go here. Delete or comment out the
28 slides below. -->
29
30
31 <article class='biglogo'>
32 <p style="text-align:center">
33 Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext
34 </p>
35 </article>
36
37 <article>
38 <h1>
39 What is it?
40 <br>
41 Vulnerability in HTTPS
42 </h1>
43 <p>
44 Presented in this year's Black Hat conference.
45 <br>
46 Caused a lot of attention.
47 </p>
48 </article>
49
50 <article>
51 <h1>
52 BREACH attacks https response body
53 </h1>
54 <ul>
55 <li>reveals secret values (CSRFtoken, ViewState etc.)</li>
56 <li>Similar to CRIME in 2012, it attacks http request headers and reveals ???</li>
57 </ul>
58 </article>
59
60 <article>
61 <h1 style="margin:0">
62 How does BREACH do it?
63 </h1>
64 <ul>
65 <li>
66 Man in the Middle
67 </li>
68 <li>
69 force requests to web server as the victim (inject iframes/imgs)
70 </li>
71 <li>
72 Targeted attack - web service must be vulnerable
73 </li>
74 <li>
75 requires compression from the server's response
76 </li>
77 <li>
78 require user-input to reflect in HTTP response body
79 </li>
80 <li>
81 there's a secret value in response body
82 </li>
83 <li>
84 be able to read response length (TLS does not hide this)
85 </li>
86 <li>
87 As little "noise" as possible from web server
88 </li>
89 <li>
90 Agnostic to encryption
91 </li>
92 </ul>
93 </article>
94
95 <article>
96 <img src="images/user-input.png" />
97 </article>
98
99 <article class='smaller'>
100 <h1>
101 Oracle Attack
102 </h1>
103 <p>
104 fire some questions at a system, observe the answers that come back, and use them to infer facts that the answers didn't intend to disclose
105 </p>
106 <p>encryption + compression + user input = oracle attack</p>
107 </article>
108
109 <article class=''>
110 <h1>
111 What is BREACH's Oracle?
112 </h1>
113 <ul>
114 <li>Measure the size delta</li>
115 <li>Guess byte by byte (requires ~1000 requests, depends, but it's not a brute force)</li>
116 <li>Error recovery</li>
117 </ul>
118 </article>
119
120 <article class=''>
121 <h1 style="margin:0">
122 LZ77: How does it work?
123 </h1>
124 <p style="text-align:center">
125 <img src="images/lz77.gif" width="810" height="430" />
126 </p>
127 </article>
128
129 <article class=''>
130 <h1 style="margin:0">
131 LZ77
132 </h1>
133 <img src="images/gzip_incorrect.png" />
134 </article>
135
136 <article class=''>
137 <h1 style="margin:0">
138 LZ77
139 </h1>
140 <img src="images/gzip_correct.png" />
141 </article>
142
143 <article>
144 <h1>
145 EASY! EASY! EASY!
146 </h1>
147 <ul><li>Just gotta do it byte by byte</li><li>Why did we just find out now?</li></ul>
148 </article>
149
150 <article>
151 <h1>
152 Theoretically Speaking
153 </h1>
154 <p>
155 People were aware of this attack.
156 <br>- Grandchild of CRIME 2012
157 <br>- NSA controversies
158 </p>
159 </article>
160
161 <article class=''>
162 <h1>
163 But, Practically Speaking, there are roadblocks
164 </h1>
165 </article>
166
167
168
169 <article class=''>
170 <h1 style="margin:0">
171 Huffman Coding
172 </h1>
173 <p>
174 <img src="images/huffman_what.png" />
175 </p>
176 </article>
177
178 <article class=''>
179 <h1 style="margin:0">
180 Huffman Coding
181 </h1>
182 <ul>
183 <img src="images/huffman_nightmare.png" />
184 </p>
185 </article>
186
187 <article class=''>
188 <h1 style="margin:0">
189 Doomed? No
190 </h1>
191 <p style="text-align:center">
192 Solution: Padding and 2 Tries
193 <br><br>
194 <img src="images/guesspad.png" />
195 <br><br>
196 <img src="images/padguess.png" />
197 <br>
198 A or B?
199 <br>
200 <img src="images/guesspadchart.png" />
201 </p>
202 <p>
203 You don't compare the sizes with the different guesses, but the differential of sizes with the padding before and after the guess.
204 </p>
205 </article>
206
207 <article class=''>
208 <h1 style="margin:0">
209 False Negatives
210 </h1>
211 <p style="text-align:center">
212 due to "subtle inner workings in Deflate"<br>
213 Solution: Try different padding sizes
214 <br><br>
215 <img src="images/padsize1.png" />
216 <br><br>
217 <img src="images/padsize2.png" />
218 <br><br>
219 <img src="images/padsize3.png" />
220 <br><br>
221 <img src="images/padsize4.png" />
222 </p>
223 </article>
224
225 <article class=''>
226 <h1 style="margin:0">
227 False Positive
228 </h1>
229 <ul class="build">
230 <li>
231 "Look Ahead"
232 </li>
233 <li>
234 <img src="images/ahead1.png" />
235 <br>
236 <img src="images/ahead2.png" />
237 <br>
238 <img src="images/ahead3.png" />
239 <br>
240 <img src="images/ahead4.png" />
241 </li>
242 <li>
243 <img src="images/ahead5.png" />
244 <br>
245 <img src="images/ahead6.png" />
246 </li>
247 </ul>
248 </article>
249
250 <article class='smaller'>
251 <h1>
252 Other Obstacles
253 </h1>
254 <p>
255 Won't cover more advanced obstacles and recoverys. it's not in PoC code
256 </p>
257 </article>
258
259 <article class='smaller'>
260 <iframe src="http://breachattack.com"></iframe>
261 </article>
262
263 </section>
264
265 </body>
266 </html>
267