In this hands-on talk, we will introduce new targeted techniques and research that enable an attacker to reliably retrieve encrypted secrets (session identifiers, CSRF tokens, OAuth tokens, email addresses, ViewState hidden fields, etc.) from an HTTPS channel. We will demonstrate that this new compression oracle is real and practical by executing a PoC against a major enterprise product in under 30 seconds – from any modern browser or even an email client. We will describe the algorithms behind the attack, how the usage of basic statistical analysis can be applied to extract data from dynamic pages, as well as practical mitigations. Finally, to provide the community with the ability to build on our research, determine levels of exposure, and deploy appropriate protection, we will release the BREACH tool.
