Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext is a method of exploitation which is identical to CRIME, with the exception that BREACH targets HTTP compression whereas CRIME targets TLS compression. This means that TLS compression is not required for this attack to work.

The scenario is the same. An attacker forces the victim’s browser to connect to a TLS-enabled third-party website whilst monitoring the traffic between victim and server by performing Man-in-The-Middle attack.

For a web application to be vulnerable it must satisfy the following conditions:

• · Be served from a server that uses HTTP-level compression
• · Reflect user-input in HTTP response bodies
• · Reflect a secret (such as a CSRF token) in HTTP response bodies (therefore values in HTTP headers, particularly the Cookie, is safe from this attack).

Prevention

• · Disable HTTP compression
• · Separating secrets from user input
• · Randomizing secrets per request
• · Masking secrets (effectively randomizing by XORing with a random secret per request)
• · Protecting vulnerable pages with CSRF
• · Length hiding (by adding random number of bytes to the responses)
• · Rate-limiting requests