Page MenuHomePhabricator

Alert group: BREACH attack
Closed, InvalidPublic

Description

/w/index.php
Alert group: BREACH attack
Severity Medium
Description
This web application is potentially vulnerable to the BREACH attack.
An attacker with the ability to:
Inject partial chosen plaintext into a victim's requests
Measure the size of encrypted traffic
can leverage information leaked by compression to recover targeted parts of the plaintext.
BREACH (Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext) is a
category of vulnerabilities and not a specific instance affecting a specific piece of software. To be
vulnerable, a web application must:
Be served from a server that uses HTTP-level compression
Reflect user-input in HTTP response bodies
Reflect a secret (such as a CSRF token) in HTTP response bodies
Recommendations
The mitigations are ordered by effectiveness (not by their practicality - as this may differ from one
application to another).
Disabling HTTP compression
Separating secrets from user input
Randomizing secrets per request
Masking secrets (effectively randomizing by XORing with a random secret per request)
Protecting vulnerable pages with CSRF
Length hiding (by adding random number of bytes to the responses)
Rate-limiting the requests
Alert variants
Details
This alert was issued because the following conditions were met:
The page content is served via HTTPS
The server is using HTTP-level compression
URL encoded GET input returnto was reflected into the HTTP response body.
HTTP response body contains a secret named wpCreateaccountToken
GET /w/index.php?
returnto=%D9%88%DB%8C%DA%98%D9%87:%D8%AC%D8%B3%D8%AA%D8%AC%D9%889585451&returntoquery=go%253D%25
D8%25A8%25D8%25B1%25D9%2588%2526search%253Dthe&title=%D9%88%DB%8C%DA%98%D9%87:%D8%A7%DB%8C%D8%AC
%D8%A7%D8%AF_%D8%AD%D8%B3%D8%A7%D8%A8_%DA%A9%D8%A7%D8%B1%D8%A8%D8%B1%DB%8C HTTP/1.1
Referer: https://wikicod.ir/w/index.php
Connection: keep-alive
Cookie: vector-nav-p-HTML_.D9.88_CSS=true;vector-navp-.D8.AC.D8.A7.D9.88.D8.A7_.D8.A7.D8.B3.DA.A9.D8.B1.DB.8C.D9.BE.D8.AA=false;vector-nav-pServer_Side=false;vector-nav-p-Programming=false;vector-nav-ptb=false;wikicod_coddb_wikicod__session=rqe73jqgdkt7g5f4svo838m7lv53h58t;mf_useformat=true;stopM
obileRedirect=true
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Accept: */*
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21

Event Timeline

sbassett added a subscriber: sbassett.

This is unrelated to any Wikimedia production website or project and is instead an issue with the website against which this scan was run: wikicod.ir. Resolving as invalid.

sbassett triaged this task as Lowest priority.Nov 12 2019, 3:59 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett moved this task from Backlog / Other to Done on the acl*security board.