CVE-2013-3587
CVE-2013-3587
The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.
Produtos afetados
n/a · HTTPS protocolQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
http://breachattack.com/http://github.com/meldium/breach-mitigation-railshttps://bugzilla.redhat.com/show_bug.cgi?id=995168http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407https://hackerone.com/reports/254895http://slashdot.org/story/13/08/05/233216https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a343036229d9937affd1e1%40%3Cdev.httpd.apache.org%3Ehttps://support.f5.com/csp/article/K14634https://www.blackhat.com/us-13/briefings.html#Pradohttps://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdfhttp://www.kb.cert.org/vuls/id/987798