You are here

BREACH attack: Disable compression for cross-origin requests

Affects product: 
Airlock WAF
Affects version(s): 
5.x and newer

This tutorial is related to the BREACH vulnerability described in https://techzone.ergon.ch/breach and provides a fix for the vulnerability. Consider this solution if response compression is mandatory. If disabling response compression is an option we recommend rather to do that for simplicity.

The described steps in this tutorial will globally deactivate the compression on certain types of HTTP requests. The decision for the compression is based on the HTTP referer header. The fix assumes that the BREACH attacker is not able to forge this header (if he can do so he may anyway have the capability to read content from the target page). Since compression depends on the referer header the following HTTP responses will no longer be compressed:

  • First page accessed by the client (landing page)
  • Pages called from bookmarks or typed-in URLs
  • Refreshed pages
  • Pages requested by special HTTP clients not sending a referer header
  • Resources like images, JavaScript, CSS which are sourced from foreign domains.

Example: Domain appA.com sources the JavaScript file appB.js from www.appB.com with the following HTML tag:

<script type="text/javascript" src="https://appB.com/appB.js"></script>

In this case the file appB.js will be delivered uncompressed.

Note that compression test tools like https://checkgzipcompression.com do not send HTTP referer headers for their tests and will therefore report that Airlock WAF does not compress responses. To verify compression we recommend to check that the reponse header "Content-Encoding: gzip" exists using a common web browser like Chrome or Firefox (use Developer Toolbar).


Configuration steps on Airlock WAF 7.x and newer

Airlock WAF 7.0 and later protects from BREACH attacks by default, by implementing the mitigation described in this article. To deactivate the mitigation and enabling compression for all responses, the following Apache Expert setting must be set on the mapping where compression is activated:

SetEnvIfExpr true !no-gzip

Configuration steps on Airlock WAF 5.x and 6.x:

  1. Sign in to "Airlock Configuration Center" as admin.
  2. Go to "Expert Settings - Security Gate / Apache".
  3. Configure the following Apache Expert-Setting:

    # BEGIN: BREACH attack mitigation, CVE-2013-3587

    SetEnvIfExpr "%{HTTP_REFERER} -strmatch 'https://%{HTTP_HOST}/*' || %{HTTPS} == 'off'" same-origin=1

    SetEnvIf same-origin ^$ no-gzip

    # END: BREACH attack mitigation, CVE-2013-3587

     

  4. Activate the configuration.

Knowledge Base Categories: