Is the complexity of a BREACH attack low?

Would you say that the BREACH attack has low complexity even after considering all the required conditions for it to be successful?

Conditions:

  • Server with gzip/deflate enabled.
  • Responses which contain part of the request (reflected text).
  • A victim’s response containing a secret (token, cookie, etc…)
  • Around 1000 additional requests to the server in order to decrypt the victim’s response.

Seems to be low according to NVD:

CVE-2015-2206

However, in my opinion, it’s High

I am inclined to think that the complexity which is evaluated there is that of acquiring the error responses with the CSRF token and not the one associated with performing the BREACH attack.

1 Like

The BREACH attack itself is easy to reproduce having the needed conditions but it’s not practical in terms that to get a valuable result, the expected complexity is O(n*f) where n is the length of the secret and f is the set of characters that the secret uses.

TL;DR For me it has high complexity.

2 Likes

@hardcore-shaw @wizardly-knuth, could you please elaborate your opinion in terms of CVSSv3 criteria?

According to CVSSv3.1 for the complexity (AC) of high level it “requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected.”
And since various requests are needed (execution effort) to be successful, then BREACH attack will be High.

2 Likes