Page MenuHomePhabricator
Create Task
Maniphest T238062

Alert group: BREACH attack
Closed, InvalidPublic
Actions

Description

/w/index.php
Alert group: BREACH attack
Severity Medium
Description
This web application is potentially vulnerable to the BREACH attack.
An attacker with the ability to:
Inject partial chosen plaintext into a victim's requests
Measure the size of encrypted traffic
can leverage information leaked by compression to recover targeted parts of the plaintext.
BREACH (Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext) is a
category of vulnerabilities and not a specific instance affecting a specific piece of software. To be
vulnerable, a web application must:
Be served from a server that uses HTTP-level compression
Reflect user-input in HTTP response bodies
Reflect a secret (such as a CSRF token) in HTTP response bodies
Recommendations
The mitigations are ordered by effectiveness (not by their practicality - as this may differ from one
application to another).
Disabling HTTP compression
Separating secrets from user input
Randomizing secrets per request
Masking secrets (effectively randomizing by XORing with a random secret per request)
Protecting vulnerable pages with CSRF
Length hiding (by adding random number of bytes to the responses)
Rate-limiting the requests
Alert variants
Details
This alert was issued because the following conditions were met:
The page content is served via HTTPS
The server is using HTTP-level compression
URL encoded GET input returnto was reflected into the HTTP response body.
HTTP response body contains a secret named wpCreateaccountToken
GET /w/index.php?
returnto=%D9%88%DB%8C%DA%98%D9%87:%D8%AC%D8%B3%D8%AA%D8%AC%D9%889585451&returntoquery=go%253D%25
D8%25A8%25D8%25B1%25D9%2588%2526search%253Dthe&title=%D9%88%DB%8C%DA%98%D9%87:%D8%A7%DB%8C%D8%AC
%D8%A7%D8%AF_%D8%AD%D8%B3%D8%A7%D8%A8_%DA%A9%D8%A7%D8%B1%D8%A8%D8%B1%DB%8C HTTP/1.1
Referer: https://wikicod.ir/w/index.php
Connection: keep-alive
Cookie: vector-nav-p-HTML_.D9.88_CSS=true;vector-navp-.D8.AC.D8.A7.D9.88.D8.A7_.D8.A7.D8.B3.DA.A9.D8.B1.DB.8C.D9.BE.D8.AA=false;vector-nav-pServer_Side=false;vector-nav-p-Programming=false;vector-nav-ptb=false;wikicod_coddb_wikicod__session=rqe73jqgdkt7g5f4svo838m7lv53h58t;mf_useformat=true;stopM
obileRedirect=true
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
Accept: */*
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21

Event Timeline

SokoteZaman created this task.Nov 12 2019, 12:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 12 2019, 12:42 PM
SokoteZaman updated the task description. (Show Details)Nov 12 2019, 12:49 PM
sbassett closed this task as Invalid.Nov 12 2019, 3:48 PM
sbassett subscribed.

This is unrelated to any Wikimedia production website or project and is instead an issue with the website against which this scan was run: wikicod.ir. Resolving as invalid.

sbassett triaged this task as Lowest priority.Nov 12 2019, 3:59 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett moved this task from Backlog / Other to Done on the acl*security board.
chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL