SlideShare a Scribd company logo

New Developments in the BREACH attack

E Hacking
E Hacking

In consideration of BREACH attack in 2013, new developments have been made in the attack to exploit compression to compromise SSL connections.

Internet
1 of 37
Download to read offline
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Practical New Developments in the BREACH Attack Dimitris Karakostas Dionysis Zindros
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level HTTPS is broken • BREACH broke HTTPS + RC4 in 2013 • People upgraded to AES – thought they were safe Today... • We show TLS + AES is still broken • HTTPS can be decrypted - quick and easy • We launch open source tool to do it here in Singapore
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Overview • BREACH review • Our contributions • Statistical attacks • Attacking block ciphers • Attacking noise • Optimization techniques • Our tool: Rupture • Mitigation recommendations
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Original BREACH research Introduced in Black Hat USA 2013 Yoel GluckAngelo Prado Neal Harris
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level BREACH attack anatomy
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Original BREACH assumptions Target website: • Uses HTTPS • Compresses response using gzip • Uses stream cipher • Response has zero noise • Contains end-point that reflects URL parameter
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Original BREACH target 1. Steal secret in HTTPS response (CSRF tokens) 2. Use CSRF to impersonate victim client to victim server
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Length leaks |E(A)| < |E(B)| ⇔ |A| < |B|
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Let’s attack Gmail • m.gmail.com mobile Gmail view • Mobile search functionality uses HTTP POST – but HTTP GET still works :) • CSRF token included in response – valid for all of Gmail
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Noise Reflection Secret
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level • Attacker guesses part of secret • Uses it in reflection • Compressed/encrypted response is shorter if right!
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Original BREACH methodology • Guess part of secret and insert into reflection • Match? → Shorter length due to compression • No match? → Longer length • Bootstrap by guessing 3-byte sequence • Extend one character at a time • O(n|Σ|) complexity • n: length of secret • Σ: alphabet of secret
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Can we really attack Gmail? • Uses AES • Has random bytes in response
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Our contributions
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Our contributions We extend the BREACH attack 1. Attack noisy end-points 2. Attack block cipher end-points 3. Optimize attack 4. Propose novel mitigation techniques The whole web is vulnerable
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Statistical methods
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Statistical methods • We can attack noisy end-points • Multiple requests per alphabet symbol • Take mean response length • m-sized noise → attack works in O(n|Σ|√m) • m = (max response size) - (min response size) • Length converges to correct results (LLN)
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Statistical methods against block ciphers • Everyone uses block ciphers • Statistical methods break them • We introduce artificial noise • Block ciphers round length to 128-bits • In practice 16x more requests • Blocks aligned → Length difference measurable
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Experimental results • AES_128 is vulnerable • Popular web services are vulnerable: • Gmail • Facebook • etc.
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Optimizations
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Optimizations overview Block ciphers cause 16x slowdown. We need to optimize. • Divide and conquer: 6x speed-up • Request soup: 16x speed-up • Browser parallelization: 6x speed-up Total ~ 500x speed-up!
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Optimization: Divide & Conquer • Each request tries multiple candidates from alphabet • Partition alphabet using divide-and-conquer • Binary search on alphabet partitions • Reduces attack complexity from O(n|Σ|) to O(n lg|Σ|) • Practically this gives 6x speed-up
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Binary search in alphabet space
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Optimization: Request soup Problem: • Need 16x samples for block ciphers • But we only need the length mean Solution: • Responses come pipelined, can’t tell them apart • We don’t care! Measure total length • Divide by amount, extract mean
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Optimization: Browser parallelization • Do 6x parallel requests; browsers support it • Each parallel request cannot adapt based on previous • But we need many samples of same candidates anyway • No need to adapt before we collect enough
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level RUPTURE
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Today, we make BREACH easy • Over the past months, we’ve developed rupture • Today in Black Hat Asia 2016, we make it open source https://github.com/dionyziz/rupture ruptureit.com
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Rupture • Extensible • Modular analysis / optimizations / strategies • Experiment with your own • General web attack framework • Can be adapted to work for CRIME, POODLE, … • Persistent command & control channel • Scalable architecture: Multiple attacks simultaneously • Come help us make it better
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Robust, persistent command & control • Automatically inject JS to HTTP • All plaintext connections infected • One tab at a time gets work from C&C server • User closes tab? Different tab starts attacking • User switches browsers? Works on different browser • Data collection failed for a sample? Sample recollected • User reboots computer? Attack continues
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Persistent attack data storage • Collected data processed by Django middleware • Attack historical data stored permanently in MySQL db • Future analysis with new techniques possible
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Rupture demo
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Mitigation
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level First-party cookies • Don’t send auth cookies cross-origin • Backwards compatibility: Web server opts-in • Mike West implemented it in Chrome 51 • Coming April 8th Set-Cookie: SID=31d4d96e407aad42; First-Party
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Key takeaways 1. HTTPS + gzip = broken 2. Rupture framework is live – attacks are easy 3. Enable first-party cookies on your web app
• Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Thank you! Questions? twitter.com/dionyziz 45DC 00AE FDDF 5D5C B988 EC86 2DA4 50F3 AFB0 46C7 github.com/dimkarakostas DF46 7AFF 3398 BB31 CEA7 1E77 F896 1969 A339 D2E9

Recommended

Introduction+to+software+design
Introduction+to+software+designIntroduction+to+software+design
Introduction+to+software+designMunazza-Mah-Jabeen
 
Do characters abuse more than words?
Do characters abuse more than words?Do characters abuse more than words?
Do characters abuse more than words?Tharushi Ruwandika
 
Abusing belkin home automation devices
Abusing belkin home automation devicesAbusing belkin home automation devices
Abusing belkin home automation devicesmark-smith
 
How to Make People Click on a Dangerous Link Despite their Security Awareness
How to Make People Click on a Dangerous Link Despite their Security Awareness How to Make People Click on a Dangerous Link Despite their Security Awareness
How to Make People Click on a Dangerous Link Despite their Security Awareness mark-smith
 
Exploiting Linux On 32-bit and 64-bit Systems
Exploiting Linux On 32-bit and 64-bit SystemsExploiting Linux On 32-bit and 64-bit Systems
Exploiting Linux On 32-bit and 64-bit SystemsE Hacking
 
Ssl attacks
Ssl attacksSsl attacks
Ssl attacksn|u - The Open Security Community
 
Bypassing malware detection mechanisms in online banking
Bypassing malware detection mechanisms in online bankingBypassing malware detection mechanisms in online banking
Bypassing malware detection mechanisms in online bankingJakub Kałużny
 
DevSecOps Done Right - Strategies and Tools.pptx
DevSecOps Done Right - Strategies and Tools.pptxDevSecOps Done Right - Strategies and Tools.pptx
DevSecOps Done Right - Strategies and Tools.pptxDavide Benvegnù
 

Recommended

Introduction+to+software+design
Introduction+to+software+designIntroduction+to+software+design
Introduction+to+software+designMunazza-Mah-Jabeen
 
Do characters abuse more than words?
Do characters abuse more than words?Do characters abuse more than words?
Do characters abuse more than words?Tharushi Ruwandika
 
Abusing belkin home automation devices
Abusing belkin home automation devicesAbusing belkin home automation devices
Abusing belkin home automation devicesmark-smith
 
How to Make People Click on a Dangerous Link Despite their Security Awareness
How to Make People Click on a Dangerous Link Despite their Security Awareness How to Make People Click on a Dangerous Link Despite their Security Awareness
How to Make People Click on a Dangerous Link Despite their Security Awareness mark-smith
 
Exploiting Linux On 32-bit and 64-bit Systems
Exploiting Linux On 32-bit and 64-bit SystemsExploiting Linux On 32-bit and 64-bit Systems
Exploiting Linux On 32-bit and 64-bit SystemsE Hacking
 
Ssl attacks
Ssl attacksSsl attacks
Ssl attacksn|u - The Open Security Community
 
Bypassing malware detection mechanisms in online banking
Bypassing malware detection mechanisms in online bankingBypassing malware detection mechanisms in online banking
Bypassing malware detection mechanisms in online bankingJakub Kałużny
 
DevSecOps Done Right - Strategies and Tools.pptx
DevSecOps Done Right - Strategies and Tools.pptxDevSecOps Done Right - Strategies and Tools.pptx
DevSecOps Done Right - Strategies and Tools.pptxDavide Benvegnù
 
MongoDB and MongoMK Source Event
MongoDB and MongoMK Source EventMongoDB and MongoMK Source Event
MongoDB and MongoMK Source EventYuval Ararat
 
Well Planned is Half Done: Planning Projects in the Digitization World
Well Planned is Half Done: Planning Projects in the Digitization WorldWell Planned is Half Done: Planning Projects in the Digitization World
Well Planned is Half Done: Planning Projects in the Digitization WorldFlorida State University
 
DiscoveringDH_ManagingDigitalProjects
DiscoveringDH_ManagingDigitalProjectsDiscoveringDH_ManagingDigitalProjects
DiscoveringDH_ManagingDigitalProjectsFlorida State University
 
Using Solr to find the Right Person for the Right Job
Using Solr to find the Right Person for the Right JobUsing Solr to find the Right Person for the Right Job
Using Solr to find the Right Person for the Right JobLucidworks (Archived)
 
The Savage Curtain: Mobile SSL Failures
The Savage Curtain: Mobile SSL FailuresThe Savage Curtain: Mobile SSL Failures
The Savage Curtain: Mobile SSL Failures☠Tony Trummer☠
 
What to do when things go wrong with Drupal
What to do when things go wrong with DrupalWhat to do when things go wrong with Drupal
What to do when things go wrong with DrupalDrupalcampAtlanta2012
 
Inovatie locala, impact global
Inovatie locala, impact globalInovatie locala, impact global
Inovatie locala, impact globalCostin Raiu
 
Building Blockchain Solutions with Algorand Developer Tools
Building Blockchain Solutions with Algorand Developer ToolsBuilding Blockchain Solutions with Algorand Developer Tools
Building Blockchain Solutions with Algorand Developer ToolsRuss Fustino
 
Geek Sync | Successfully Migrating Existing Databases to Azure SQL Database
Geek Sync | Successfully Migrating Existing Databases to Azure SQL DatabaseGeek Sync | Successfully Migrating Existing Databases to Azure SQL Database
Geek Sync | Successfully Migrating Existing Databases to Azure SQL DatabaseIDERA Software
 
Securing Africa - 2009-2010
Securing Africa - 2009-2010Securing Africa - 2009-2010
Securing Africa - 2009-2010Costin Raiu
 
Geek Sync | Azure Cloud & You: First Steps for the DBA
Geek Sync | Azure Cloud & You: First Steps for the DBAGeek Sync | Azure Cloud & You: First Steps for the DBA
Geek Sync | Azure Cloud & You: First Steps for the DBAIDERA Software
 
Keep Calm and Migrate: How to survive a digital content migration
Keep Calm and Migrate: How to survive a digital content migrationKeep Calm and Migrate: How to survive a digital content migration
Keep Calm and Migrate: How to survive a digital content migrationFlorida State University
 
Microsoft Cloud Computing
Microsoft Cloud ComputingMicrosoft Cloud Computing
Microsoft Cloud ComputingOri Husyt (אורי הוסיט)
 
Geek Sync | Database People and DevOps: The Fundamentals
Geek Sync | Database People and DevOps: The FundamentalsGeek Sync | Database People and DevOps: The Fundamentals
Geek Sync | Database People and DevOps: The FundamentalsIDERA Software
 
NodeJS - KNOWARTH
NodeJS - KNOWARTHNodeJS - KNOWARTH
NodeJS - KNOWARTHKNOWARTH Technologies
 
7 ways of reducing tpm cost
7 ways of reducing tpm cost 7 ways of reducing tpm cost
7 ways of reducing tpm cost TradeInsight
 
Designing a press and swipe type single layered bangla soft keyboard for andr...
Designing a press and swipe type single layered bangla soft keyboard for andr...Designing a press and swipe type single layered bangla soft keyboard for andr...
Designing a press and swipe type single layered bangla soft keyboard for andr...Kaidul Islam
 
The Algorand Blockchain
The Algorand BlockchainThe Algorand Blockchain
The Algorand BlockchainRuss Fustino
 
Advantages & disadvantages of different communication routes
Advantages & disadvantages of different communication routesAdvantages & disadvantages of different communication routes
Advantages & disadvantages of different communication routesShwe Yee
 
Reading Notes : the practice of programming
Reading Notes : the practice of programmingReading Notes : the practice of programming
Reading Notes : the practice of programmingJuggernaut Liu
 
CEH and Security+ Training Outline - EH Academy
CEH and Security+ Training Outline - EH AcademyCEH and Security+ Training Outline - EH Academy
CEH and Security+ Training Outline - EH AcademyE Hacking
 
Threats against the next billion devices
Threats against the next billion devicesThreats against the next billion devices
Threats against the next billion devicesE Hacking
 

More Related Content

Similar to New Developments in the BREACH attack

MongoDB and MongoMK Source Event
MongoDB and MongoMK Source EventMongoDB and MongoMK Source Event
MongoDB and MongoMK Source EventYuval Ararat
 
Well Planned is Half Done: Planning Projects in the Digitization World
Well Planned is Half Done: Planning Projects in the Digitization WorldWell Planned is Half Done: Planning Projects in the Digitization World
Well Planned is Half Done: Planning Projects in the Digitization WorldFlorida State University
 
Using Solr to find the Right Person for the Right Job
Using Solr to find the Right Person for the Right JobUsing Solr to find the Right Person for the Right Job
Using Solr to find the Right Person for the Right JobLucidworks (Archived)
 
The Savage Curtain: Mobile SSL Failures
The Savage Curtain: Mobile SSL FailuresThe Savage Curtain: Mobile SSL Failures
The Savage Curtain: Mobile SSL Failures☠Tony Trummer☠
 
What to do when things go wrong with Drupal
What to do when things go wrong with DrupalWhat to do when things go wrong with Drupal
What to do when things go wrong with DrupalDrupalcampAtlanta2012
 
Inovatie locala, impact global
Inovatie locala, impact globalInovatie locala, impact global
Inovatie locala, impact globalCostin Raiu
 
Building Blockchain Solutions with Algorand Developer Tools
Building Blockchain Solutions with Algorand Developer ToolsBuilding Blockchain Solutions with Algorand Developer Tools
Building Blockchain Solutions with Algorand Developer ToolsRuss Fustino
 
Geek Sync | Successfully Migrating Existing Databases to Azure SQL Database
Geek Sync | Successfully Migrating Existing Databases to Azure SQL DatabaseGeek Sync | Successfully Migrating Existing Databases to Azure SQL Database
Geek Sync | Successfully Migrating Existing Databases to Azure SQL DatabaseIDERA Software
 
Securing Africa - 2009-2010
Securing Africa - 2009-2010Securing Africa - 2009-2010
Securing Africa - 2009-2010Costin Raiu
 
Geek Sync | Azure Cloud & You: First Steps for the DBA
Geek Sync | Azure Cloud & You: First Steps for the DBAGeek Sync | Azure Cloud & You: First Steps for the DBA
Geek Sync | Azure Cloud & You: First Steps for the DBAIDERA Software
 
Keep Calm and Migrate: How to survive a digital content migration
Keep Calm and Migrate: How to survive a digital content migrationKeep Calm and Migrate: How to survive a digital content migration
Keep Calm and Migrate: How to survive a digital content migrationFlorida State University
 
Geek Sync | Database People and DevOps: The Fundamentals
Geek Sync | Database People and DevOps: The FundamentalsGeek Sync | Database People and DevOps: The Fundamentals
Geek Sync | Database People and DevOps: The FundamentalsIDERA Software
 
7 ways of reducing tpm cost
7 ways of reducing tpm cost 7 ways of reducing tpm cost
7 ways of reducing tpm cost TradeInsight
 
Designing a press and swipe type single layered bangla soft keyboard for andr...
Designing a press and swipe type single layered bangla soft keyboard for andr...Designing a press and swipe type single layered bangla soft keyboard for andr...
Designing a press and swipe type single layered bangla soft keyboard for andr...Kaidul Islam
 
The Algorand Blockchain
The Algorand BlockchainThe Algorand Blockchain
The Algorand BlockchainRuss Fustino
 
Advantages & disadvantages of different communication routes
Advantages & disadvantages of different communication routesAdvantages & disadvantages of different communication routes
Advantages & disadvantages of different communication routesShwe Yee
 
Reading Notes : the practice of programming
Reading Notes : the practice of programmingReading Notes : the practice of programming
Reading Notes : the practice of programmingJuggernaut Liu
 

Similar to New Developments in the BREACH attack (20)

MongoDB and MongoMK Source Event
MongoDB and MongoMK Source EventMongoDB and MongoMK Source Event
MongoDB and MongoMK Source Event
 
Well Planned is Half Done: Planning Projects in the Digitization World
Well Planned is Half Done: Planning Projects in the Digitization WorldWell Planned is Half Done: Planning Projects in the Digitization World
Well Planned is Half Done: Planning Projects in the Digitization World
 
DiscoveringDH_ManagingDigitalProjects
DiscoveringDH_ManagingDigitalProjectsDiscoveringDH_ManagingDigitalProjects
DiscoveringDH_ManagingDigitalProjects
 
Using Solr to find the Right Person for the Right Job
Using Solr to find the Right Person for the Right JobUsing Solr to find the Right Person for the Right Job
Using Solr to find the Right Person for the Right Job
 
The Savage Curtain: Mobile SSL Failures
The Savage Curtain: Mobile SSL FailuresThe Savage Curtain: Mobile SSL Failures
The Savage Curtain: Mobile SSL Failures
 
What to do when things go wrong with Drupal
What to do when things go wrong with DrupalWhat to do when things go wrong with Drupal
What to do when things go wrong with Drupal
 
Inovatie locala, impact global
Inovatie locala, impact globalInovatie locala, impact global
Inovatie locala, impact global
 
Building Blockchain Solutions with Algorand Developer Tools
Building Blockchain Solutions with Algorand Developer ToolsBuilding Blockchain Solutions with Algorand Developer Tools
Building Blockchain Solutions with Algorand Developer Tools
 
Geek Sync | Successfully Migrating Existing Databases to Azure SQL Database
Geek Sync | Successfully Migrating Existing Databases to Azure SQL DatabaseGeek Sync | Successfully Migrating Existing Databases to Azure SQL Database
Geek Sync | Successfully Migrating Existing Databases to Azure SQL Database
 
Securing Africa - 2009-2010
Securing Africa - 2009-2010Securing Africa - 2009-2010
Securing Africa - 2009-2010
 
Geek Sync | Azure Cloud & You: First Steps for the DBA
Geek Sync | Azure Cloud & You: First Steps for the DBAGeek Sync | Azure Cloud & You: First Steps for the DBA
Geek Sync | Azure Cloud & You: First Steps for the DBA
 
Keep Calm and Migrate: How to survive a digital content migration
Keep Calm and Migrate: How to survive a digital content migrationKeep Calm and Migrate: How to survive a digital content migration
Keep Calm and Migrate: How to survive a digital content migration
 
Microsoft Cloud Computing
Microsoft Cloud ComputingMicrosoft Cloud Computing
Microsoft Cloud Computing
 
Geek Sync | Database People and DevOps: The Fundamentals
Geek Sync | Database People and DevOps: The FundamentalsGeek Sync | Database People and DevOps: The Fundamentals
Geek Sync | Database People and DevOps: The Fundamentals
 
NodeJS - KNOWARTH
NodeJS - KNOWARTHNodeJS - KNOWARTH
NodeJS - KNOWARTH
 
7 ways of reducing tpm cost
7 ways of reducing tpm cost 7 ways of reducing tpm cost
7 ways of reducing tpm cost
 
Designing a press and swipe type single layered bangla soft keyboard for andr...
Designing a press and swipe type single layered bangla soft keyboard for andr...Designing a press and swipe type single layered bangla soft keyboard for andr...
Designing a press and swipe type single layered bangla soft keyboard for andr...
 
The Algorand Blockchain
The Algorand BlockchainThe Algorand Blockchain
The Algorand Blockchain
 
Advantages & disadvantages of different communication routes
Advantages & disadvantages of different communication routesAdvantages & disadvantages of different communication routes
Advantages & disadvantages of different communication routes
 
Reading Notes : the practice of programming
Reading Notes : the practice of programmingReading Notes : the practice of programming
Reading Notes : the practice of programming
 

More from E Hacking

CEH and Security+ Training Outline - EH Academy
CEH and Security+ Training Outline - EH AcademyCEH and Security+ Training Outline - EH Academy
CEH and Security+ Training Outline - EH AcademyE Hacking
 
Threats against the next billion devices
Threats against the next billion devicesThreats against the next billion devices
Threats against the next billion devicesE Hacking
 
High Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesHigh Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesE Hacking
 
Most Important steps to become a hacker
Most Important steps to become a hackerMost Important steps to become a hacker
Most Important steps to become a hackerE Hacking
 
Penetrating the Perimeter - Tales from the Battlefield
Penetrating the Perimeter - Tales from the BattlefieldPenetrating the Perimeter - Tales from the Battlefield
Penetrating the Perimeter - Tales from the BattlefieldE Hacking
 
Website fingerprinting on TOR
Website fingerprinting on TORWebsite fingerprinting on TOR
Website fingerprinting on TORE Hacking
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 
Stalking a City for Fun and Frivolity" Defcon Talk
Stalking a City for Fun and Frivolity" Defcon TalkStalking a City for Fun and Frivolity" Defcon Talk
Stalking a City for Fun and Frivolity" Defcon TalkE Hacking
 
Hacking Wireless World, RFID hacking
Hacking Wireless World, RFID hackingHacking Wireless World, RFID hacking
Hacking Wireless World, RFID hackingE Hacking
 
Abusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itAbusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itE Hacking
 
Malicious Domain Profiling
Malicious Domain Profiling Malicious Domain Profiling
Malicious Domain Profiling E Hacking
 
Searching Shodan For Fun And Profit
Searching Shodan For Fun And ProfitSearching Shodan For Fun And Profit
Searching Shodan For Fun And ProfitE Hacking
 
The Machines that Betrayed their Masters
The Machines that Betrayed their MastersThe Machines that Betrayed their Masters
The Machines that Betrayed their MastersE Hacking
 
Detecting Bluetooth Surveillance Systems
Detecting Bluetooth Surveillance SystemsDetecting Bluetooth Surveillance Systems
Detecting Bluetooth Surveillance SystemsE Hacking
 
Unmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouUnmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouE Hacking
 
WhatsApp Chat Hacking/Stealing POC
WhatsApp Chat Hacking/Stealing POCWhatsApp Chat Hacking/Stealing POC
WhatsApp Chat Hacking/Stealing POCE Hacking
 
Building Trojan Hardware at Home
Building Trojan Hardware at HomeBuilding Trojan Hardware at Home
Building Trojan Hardware at HomeE Hacking
 
Social Media Monitoring tools as an OSINT platform for intelligence
Social Media Monitoring tools as an OSINT platform for intelligenceSocial Media Monitoring tools as an OSINT platform for intelligence
Social Media Monitoring tools as an OSINT platform for intelligenceE Hacking
 
LDAP Injections & Blind LDAP Injections Paper
LDAP Injections & Blind LDAP Injections PaperLDAP Injections & Blind LDAP Injections Paper
LDAP Injections & Blind LDAP Injections PaperE Hacking
 
Reversing and Malware Analysis
Reversing and Malware Analysis Reversing and Malware Analysis
Reversing and Malware Analysis E Hacking
 

More from E Hacking (20)

CEH and Security+ Training Outline - EH Academy
CEH and Security+ Training Outline - EH AcademyCEH and Security+ Training Outline - EH Academy
CEH and Security+ Training Outline - EH Academy
 
Threats against the next billion devices
Threats against the next billion devicesThreats against the next billion devices
Threats against the next billion devices
 
High Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesHigh Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilities
 
Most Important steps to become a hacker
Most Important steps to become a hackerMost Important steps to become a hacker
Most Important steps to become a hacker
 
Penetrating the Perimeter - Tales from the Battlefield
Penetrating the Perimeter - Tales from the BattlefieldPenetrating the Perimeter - Tales from the Battlefield
Penetrating the Perimeter - Tales from the Battlefield
 
Website fingerprinting on TOR
Website fingerprinting on TORWebsite fingerprinting on TOR
Website fingerprinting on TOR
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
Stalking a City for Fun and Frivolity" Defcon Talk
Stalking a City for Fun and Frivolity" Defcon TalkStalking a City for Fun and Frivolity" Defcon Talk
Stalking a City for Fun and Frivolity" Defcon Talk
 
Hacking Wireless World, RFID hacking
Hacking Wireless World, RFID hackingHacking Wireless World, RFID hacking
Hacking Wireless World, RFID hacking
 
Abusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itAbusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get it
 
Malicious Domain Profiling
Malicious Domain Profiling Malicious Domain Profiling
Malicious Domain Profiling
 
Searching Shodan For Fun And Profit
Searching Shodan For Fun And ProfitSearching Shodan For Fun And Profit
Searching Shodan For Fun And Profit
 
The Machines that Betrayed their Masters
The Machines that Betrayed their MastersThe Machines that Betrayed their Masters
The Machines that Betrayed their Masters
 
Detecting Bluetooth Surveillance Systems
Detecting Bluetooth Surveillance SystemsDetecting Bluetooth Surveillance Systems
Detecting Bluetooth Surveillance Systems
 
Unmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouUnmasking or De-Anonymizing You
Unmasking or De-Anonymizing You
 
WhatsApp Chat Hacking/Stealing POC
WhatsApp Chat Hacking/Stealing POCWhatsApp Chat Hacking/Stealing POC
WhatsApp Chat Hacking/Stealing POC
 
Building Trojan Hardware at Home
Building Trojan Hardware at HomeBuilding Trojan Hardware at Home
Building Trojan Hardware at Home
 
Social Media Monitoring tools as an OSINT platform for intelligence
Social Media Monitoring tools as an OSINT platform for intelligenceSocial Media Monitoring tools as an OSINT platform for intelligence
Social Media Monitoring tools as an OSINT platform for intelligence
 
LDAP Injections & Blind LDAP Injections Paper
LDAP Injections & Blind LDAP Injections PaperLDAP Injections & Blind LDAP Injections Paper
LDAP Injections & Blind LDAP Injections Paper
 
Reversing and Malware Analysis
Reversing and Malware Analysis Reversing and Malware Analysis
Reversing and Malware Analysis
 

Recently uploaded

Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsstephieert
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneCall girls in Ahmedabad High profile
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneVIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneCall girls in Ahmedabad High profile
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 

Recently uploaded (20)

Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girls
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneVIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 

New Developments in the BREACH attack

  • 1. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Practical New Developments in the BREACH Attack Dimitris Karakostas Dionysis Zindros
  • 2. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level HTTPS is broken • BREACH broke HTTPS + RC4 in 2013 • People upgraded to AES – thought they were safe Today... • We show TLS + AES is still broken • HTTPS can be decrypted - quick and easy • We launch open source tool to do it here in Singapore
  • 3. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Overview • BREACH review • Our contributions • Statistical attacks • Attacking block ciphers • Attacking noise • Optimization techniques • Our tool: Rupture • Mitigation recommendations
  • 4. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Original BREACH research Introduced in Black Hat USA 2013 Yoel GluckAngelo Prado Neal Harris
  • 5. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level BREACH attack anatomy
  • 6. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level
  • 7. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Original BREACH assumptions Target website: • Uses HTTPS • Compresses response using gzip • Uses stream cipher • Response has zero noise • Contains end-point that reflects URL parameter
  • 8. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Original BREACH target 1. Steal secret in HTTPS response (CSRF tokens) 2. Use CSRF to impersonate victim client to victim server
  • 9. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Length leaks |E(A)| < |E(B)| ⇔ |A| < |B|
  • 10. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Let’s attack Gmail • m.gmail.com mobile Gmail view • Mobile search functionality uses HTTP POST – but HTTP GET still works :) • CSRF token included in response – valid for all of Gmail
  • 11. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Noise Reflection Secret
  • 12. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level • Attacker guesses part of secret • Uses it in reflection • Compressed/encrypted response is shorter if right!
  • 13. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Original BREACH methodology • Guess part of secret and insert into reflection • Match? → Shorter length due to compression • No match? → Longer length • Bootstrap by guessing 3-byte sequence • Extend one character at a time • O(n|Σ|) complexity • n: length of secret • Σ: alphabet of secret
  • 14. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Can we really attack Gmail? • Uses AES • Has random bytes in response
  • 15. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Our contributions
  • 16. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Our contributions We extend the BREACH attack 1. Attack noisy end-points 2. Attack block cipher end-points 3. Optimize attack 4. Propose novel mitigation techniques The whole web is vulnerable
  • 17. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Statistical methods
  • 18. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Statistical methods • We can attack noisy end-points • Multiple requests per alphabet symbol • Take mean response length • m-sized noise → attack works in O(n|Σ|√m) • m = (max response size) - (min response size) • Length converges to correct results (LLN)
  • 19. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Statistical methods against block ciphers • Everyone uses block ciphers • Statistical methods break them • We introduce artificial noise • Block ciphers round length to 128-bits • In practice 16x more requests • Blocks aligned → Length difference measurable
  • 20. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Experimental results • AES_128 is vulnerable • Popular web services are vulnerable: • Gmail • Facebook • etc.
  • 21. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Optimizations
  • 22. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Optimizations overview Block ciphers cause 16x slowdown. We need to optimize. • Divide and conquer: 6x speed-up • Request soup: 16x speed-up • Browser parallelization: 6x speed-up Total ~ 500x speed-up!
  • 23. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Optimization: Divide & Conquer • Each request tries multiple candidates from alphabet • Partition alphabet using divide-and-conquer • Binary search on alphabet partitions • Reduces attack complexity from O(n|Σ|) to O(n lg|Σ|) • Practically this gives 6x speed-up
  • 24. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Binary search in alphabet space
  • 25. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Optimization: Request soup Problem: • Need 16x samples for block ciphers • But we only need the length mean Solution: • Responses come pipelined, can’t tell them apart • We don’t care! Measure total length • Divide by amount, extract mean
  • 26. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Optimization: Browser parallelization • Do 6x parallel requests; browsers support it • Each parallel request cannot adapt based on previous • But we need many samples of same candidates anyway • No need to adapt before we collect enough
  • 27. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level RUPTURE
  • 28. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Today, we make BREACH easy • Over the past months, we’ve developed rupture • Today in Black Hat Asia 2016, we make it open source https://github.com/dionyziz/rupture ruptureit.com
  • 29. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Rupture • Extensible • Modular analysis / optimizations / strategies • Experiment with your own • General web attack framework • Can be adapted to work for CRIME, POODLE, … • Persistent command & control channel • Scalable architecture: Multiple attacks simultaneously • Come help us make it better
  • 30. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level
  • 31. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Robust, persistent command & control • Automatically inject JS to HTTP • All plaintext connections infected • One tab at a time gets work from C&C server • User closes tab? Different tab starts attacking • User switches browsers? Works on different browser • Data collection failed for a sample? Sample recollected • User reboots computer? Attack continues
  • 32. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Persistent attack data storage • Collected data processed by Django middleware • Attack historical data stored permanently in MySQL db • Future analysis with new techniques possible
  • 33. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Rupture demo
  • 34. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Mitigation
  • 35. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level First-party cookies • Don’t send auth cookies cross-origin • Backwards compatibility: Web server opts-in • Mike West implemented it in Chrome 51 • Coming April 8th Set-Cookie: SID=31d4d96e407aad42; First-Party
  • 36. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Key takeaways 1. HTTPS + gzip = broken 2. Rupture framework is live – attacks are easy 3. Enable first-party cookies on your web app
  • 37. • Click to edit Master text styles — Second level • Third level — Fourth level » Fifth level Thank you! Questions? twitter.com/dionyziz 45DC 00AE FDDF 5D5C B988 EC86 2DA4 50F3 AFB0 46C7 github.com/dimkarakostas DF46 7AFF 3398 BB31 CEA7 1E77 F896 1969 A339 D2E9