At the recent Black Hat 2013 conference, several researchers described an attack against HTTPS in which an attacker can discover data sent by a Web server even though it is encrypted. All the attacker needs is a way to send requests via the victim’s browser and measure the size of the resulting response.
A website is potentially vulnerable if it does all of the following:
– Uses HTTPS with compressed responses.
– Echoes back data sent by the user.
– Sends back sensitive data that does not change from request to request. This information can be a CSRF token, or personally identifiable information.
This attack is serious enough that the Department of Homeland Security has issued a note describing it and how to mitigate it.
There are several ways to prevent the attack, for example by changing the Web server configuration to disable compression or by changing the Web application itself. However, with the many advanced features of Netscaler’s Application Firewall (AppFw) this attack can be completely prevented simply by turning on CSRF tagging. This adds a dynamically changing unpredictable value to all forms sent to the user. The Application Firewall verifies the value in any request sent by the user and drops the requests if it is not present. Because the attacker can’t forge the CSRF tag, his requests are dropped by the Application Firewall, thus denying the attacker the data needed to decrypt the sensitive information sent by the server.