Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2013-3587
CVE-2013-3587:
Apache HTTP Server vulnerability analysis and mitigation
Overview
The BREACH (Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext) vulnerability (CVE-2013-3587) affects the HTTPS protocol when used with HTTP compression. The vulnerability allows man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses where a string in an HTTP request URL potentially matches an unknown string in an HTTP response body (CERT VU, BREACH Attack).
Technical details
The attack requires several conditions to be met: 1) HTTPS-enabled endpoint with stream ciphers like RC4 or block ciphers with adaptive padding, 2) The attacker must be able to measure the size of HTTPS responses, 3) Use of HTTP-level compression (e.g. gzip), 4) A request parameter that is reflected in the response body, 5) A static secret in the body (e.g. CSRF token), and 6) A relatively static response. The attack works by making a series of requests with different guesses and observing compression ratios to deduce secret values. A successful attack can be executed with approximately 1,000-4,000 requests within 30 seconds (CERT VU).
Impact
When successfully exploited, this vulnerability allows attackers to recover sensitive information like CSRF tokens, session IDs, and other secret values from encrypted HTTPS traffic. This can lead to session hijacking, account compromise, and other security breaches. The vulnerability affects a wide range of web applications that use both HTTPS and HTTP compression (BREACH Attack).
Mitigation and workarounds
Several mitigation strategies are recommended: 1) Disable HTTP compression, 2) Separate secrets from user input, 3) Randomize secrets in each client request, 4) Mask secrets by XORing with a random secret per request, 5) Protect pages with CSRF protections, 6) Add random padding to responses to obscure length differences. For example, Django recommends disabling GZip middleware and web server compression modules (Django Blog, CERT VU).
Community reactions
The vulnerability received significant attention after its presentation at Black Hat USA 2013. Major web frameworks like Django issued security advisories and recommended mitigations. Red Hat noted that their Enterprise Linux 5 and 6 httpd packages were not vulnerable by default as DEFLATE compression was not enabled in the default configuration (Red Hat Bugzilla).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management