BREACH over HEIST - Dangerous New Attack Vector Against HTTPS - Released 3rd of August - Black Hat USA 2016

BREACH over HEIST

Is a new attack vector recently made public at Black Hat USA 2016 conference in Las Vegas on Wednesday 3rd of August 2016

HEIST is a new set of techniques that when combined together with BREACH makes for a pretty serious browser based vulnerability against webpages protected with Secure Socket Layer(SSL) or Transport Layer Security(TLS). This attack take advantage of commonly used compression algorithms and the ability to inject arbitrary data into their responses (generally known as a reflective endpoint).

The new HEIST attack teams up with an existing attack to brute force secret information inside HTTPS responses and does so all within your browser via JavaScript. All that is required is you have cookies enabled and an authenticated session to the target web service. This attack can be launched by browsing to a site hosting a malicious script or site hosting a malicious advertisement.

Data stolen from this attack can be Social Security Numbers, Email addresses, other sensitive information and even session tokens allowing for complete account compromise on targeted web service.

This type of attack has previously only been possible from a Man in The Middle position as it requires the ability to monitor and manipulate the traffic. Not any more!

HEIST - HTTP Encrypted Information can be Stolen Through TCP-Windows

Discovered by Mathy Vanhoef & Tom Van Goethem PhD Researcher's at KU Leuven

"Resource Timing" and "Fetch" are new JavaScript APIs that have recently been approved. These new calls allow for developers to request and retrieve information and indirectly determine the size of the HTTP response.

HEIST is a set of techniques that allows an attacker to carry out attacks against SSL/TLS purely in the browser. With HEIST it becomes possible to exploit certain flaws in network protocols without having to sniff actual traffic. HEIST abuses weaknesses in the browser, and the underlying HTTP, SSL/TLS, and TCP layers. A side-channel attack that leaks the exact size of any cross-origin response. This side-channel abuses the way responses are sent at the TCP level. Combined with the fact that SSL/TLS lacks length-hiding capabilities, HEIST can directly infer the length of the plaintext message. This means that compression-based attacks such as CRIME and BREACH can now be performed purely in the browser, by any malicious website or script, without requiring network access. This length-exposing attacks can be used to obtain sensitive information from unwitting victims by abusing services on popular websites.

HEIST is a set of novel attack techniques that brings network-level attacks to the browser, posing an imminent threat to our online security and privacy.

Further Information

If you would like further information on this attack you can view the slide from the recent presentation at Blackhat USA or see the whitepaper linked below

Slides -- Whitepaper

BREACH - Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext

Discovered by: Angelo Prado, Neal Harris and Yoel Gluck.

Based off the CRIME attack which only exploited SPDY request compression and TLS compression. BREACH is an instance of the CRIME attack against HTTP compression—the use of gzip or DEFLATE data compression algorithms via the content-encoding option within HTTP by many web browsers and servers. BREACH performs an initial blind brute-force search to guess a few bytes, followed by divide-and-conquer search to expand a correct guess to an arbitrarily large amount of content.

New Implementation of BREACH

By: Dionysios Zindros & Dimitris Karakostas
The original implementation of attack is most effective when the response from the web service did not implement any extra 'noise'. Noise is the addition of randomly generated characters to decrease the effectiveness of these attacks. New implementations of BREACH also demonstrated this year show methods of cutting down noise and producing consistent results by actually injecting artificial noise and making multiple attempts at the same brute-force candidate(guess) to statistically determine the brute-force candidate's validity.

The optimisation mentioned above were also packaged with a new method of preforming these attacks as depicted below

Attack Summary

The user visits a malicious webpage or webpage hosting a malicious advertisement; upon loading the webpage HEIST's malicious code is executed locally in your browser and HEIST begins making requests to specific Secure Socket Layer(SSL) or Transport Layer Security(TLS) protected webpages (banks, gmail, healthcare etc..) via the JavaScript 'fetch' method as shown below

This calls fetch(), instructs the browser to submit the user's login cookie and to use a standard HTTP GET call to fetch the foo page. When using HEAD, GET or POST, the JavaScript code is not allowed to see the encrypted page returned by the website for security reasons.

fetch() is an asynchronous communication, it returns a Promise object that triggers a callback as soon as the first byte is received from the server. Then using performance.getEntries() it is possible to find out when the last byte was received. The JavaScript code is not allowed to know how much data is returned, in terms of the number of bytes and therefore rely's on TCP-Window timing to judge how large a response is.

The size of the initial response is analysed and recorded. Subsequent requests are made but these subsequent requests include brute-force guesses at the secret information. These guesses are made via a reflective endpoint and gets echoed in the response (meaning the attacker can provide arbitrary data that will be returned in the response).

Injecting arbitrary data and exploiting the compression being used on the HTTPS responses if the guess is right the response will not grow in size as the arbitrary data being guessed already exist in the encrypted response and therefore the size of the response does not change; conversely a larger response than the initial response would suggest that this guess was incorrect and the script would attempt the next letter; this process is attempted continuously until the whole secret is exposed.

Upon discovery of the secret information the JavaScript code ex-filtrates the data to hackers server and the attack is complete.

Countermeasures

Mathy Vanhoef & Tom Van Goethem have said that the only way to protect against HEIST is to disable third-party cookies. Disabling third-party cookies would prevent HEIST's fetch() call from authenticating with the raided webpage.
Disabling JavaScript completely would also be effective against this attack although would most likely have a larger impact than disabling 3rd party cookies.