Alert group: BREACH attack
This web application is potentially vulnerable to the BREACH attack.
An attacker with the ability to:
Inject partial chosen plaintext into a victim's requests
Measure the size of encrypted traffic
can leverage information leaked by compression to recover targeted parts of the plaintext.
BREACH (Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext) is a
category of vulnerabilities and not a specific instance affecting a specific piece of software. To be
vulnerable, a web application must:
Be served from a server that uses HTTP-level compression
Reflect user-input in HTTP response bodies
Reflect a secret (such as a CSRF token) in HTTP response bodies
The mitigations are ordered by effectiveness (not by their practicality - as this may differ from one
application to another).
Disabling HTTP compression
Separating secrets from user input
Randomizing secrets per request
Masking secrets (effectively randomizing by XORing with a random secret per request)
Protecting vulnerable pages with CSRF
Length hiding (by adding random number of bytes to the responses)
Rate-limiting the requests
This alert was issued because the following conditions were met:
The page content is served via HTTPS
The server is using HTTP-level compression
URL encoded GET input returnto was reflected into the HTTP response body.
HTTP response body contains a secret named wpCreateaccountToken
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)