Product
Features API Security Testing GraphQL Security Testing DevSecOps Compliance Cosmog: Private Tunnel WordPress Security Testing OWASP Security Testing Free Security Testing
Solutions
Pricing
Free tools
Website Security Assessment SSL Certificate Checker Domain Expiry Checker
Resources
Blog Developer Docs Help Center Guides Whitepapers Vulnerability Index Partners
Product tour
Blog Home
02 Jul 2018

SSL Compression Methods

02 Jul 2018
OWASP 2013-A9 OWASP 2017-A9 OWASP 2021-A6 PCI v3.2-6.5.4 OWASP PC-C1 CAPEC-217 CWE-310 HIPAA-164.306 ISO27001-A.14.1.2 WASC-13 WSTG-CRYP-01

Compression methods are algorithms used to compress stored files. Data are compressed to achieve the best storage capacity from the server. Compression also helps in transmitting data in compressed form to consume fewer data. There are mainly two types of compression methods:-

  • Lossless: The lossless compression helps to reconstruct the original data from the compressed data.
  • Lossy: The lossy compression reconstructs nearly perfect original data using assumptions and improved compression rate. This compression technology helps to reduce the size of the output file.

Compression helps to reduce data usage. But, compressed data are vulnerable to many attacks. Compression methods are the easiest for exploiting sensitive information. These compression methods are vulnerable to attacks like:-

  • Compression Ratio Info-leak Made Easy (CRIME) attacks: The CRIME is a client-side attack that exploits the compression methods used in the web cookies to extract sensitive information like session cookie and many more.

  • BREACH attacks and many more.

The TLS (Transport Layer Security) protocol includes some features that negotiate selection of a lossless data compression method as part of the TLS Handshake. The protocol can then apply the algorithm associated with the selected method as part of the TLS Record Protocol. The TLS protocol defines one standard compression method which specifies that data exchanged via the record protocol will not be compressed.

Impact

The impact include:-

  • Loss of sensitive information. The attacker can steal sensitive information from the communication channel.
  • Breach attacks

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Avoid the use of compression methods on the client sides. The following browsers won’t support compression:-
    • Internet Explorer (All versions)
    • Google Chrome ( ver 21.0.1180.89 and above)
    • Firefox (ver 15.0.1 and above)
    • Opera (ver 12.01 and above)
    • Safari (ver 5.1.6 and above)
  • Disable use of compression techniques on the server. For Apache users, go to server config.
		SSLCompression off

PRODUCT TOUR






Latest Articles

IMAP/SMTP injection
September 12 2023
7 limitations of vulnerability scanners
September 10 2023
Clickjacking attack
September 10 2023
Session Fixation Attack
July 30 2023
Vulnerability management using AI
June 29 2023

Explore morearrow



Popular in Injection

WordPress Authenticated SQL Injection
June 29 2022
SQL injection(SQLi)
May 4 2022
Union Query SQL Injection (SQLi)
July 4 2018
Stacked Queries SQL Injection (SQLi)
July 4 2018
Inline Queries SQL Injection (SQLi)
July 4 2018

Explore morearrow

Categories

Client Side URL Redirect Cookies Attributes IBM SQL Injection Injection Time Based Blind SQL Injection SSL CRLF Content Security Policy CSRF HSTS CORS Information Leakage status code SRI metadata X-XSS-Protection owasp XSS Clickjacking Cookies Directory traversal DOM XSS Blind SQL Injection XML Injection blog TLS WordPress web security SMB Cyber attacks AI Web server Data Security DOMECTF2020 Container security CMS Security Code Execution Htaccess Bypass DOMECTF2021 Press Webinar RFI DevSecOps DOMECTF2022 openssl HTTP headers Compliance AppSec

Latest Articles

Explore More
7 limitations of vulnerability scanners
AppSec
7 limitations of vulnerability scanners
10 Sep 2023
Clickjacking attack
Clickjacking
Clickjacking attack
10 Sep 2023
Session Fixation Attack
Session Fixation Attack
30 Jul 2023
Vulnerability management using AI
AI
Vulnerability management using AI
29 Jun 2023
Benefits of credentialed scans
AppSec
Benefits of credentialed scans
25 Jun 2023
Why DAST should be the cornerstone of your application security program?
AppSec
Why DAST should be the cornerstone of your application security program?
30 May 2023
Email injection attack: Impact, example & prevention
Email injection attack: Impact, example & prevention
24 Mar 2023
What are the common REST API security vulnerabilities?
AppSec
What are the common REST API security vulnerabilities?
08 Mar 2023
The 7 Best Veracode Alternatives in the Market Today
AppSec
The 7 Best Veracode Alternatives in the Market Today
06 Feb 2023
DAST vs SAST: What are the differences and how to combine them
web security
DAST vs SAST: What are the differences and how to combine them
26 Jan 2023
Internal Penetration Testing: The Definitive Guide [2023]
Internal Penetration Testing: The Definitive Guide [2023]
19 Jan 2023
The Role of Bug Tracking in Ensuring Your Web Application's Security
web security
The Role of Bug Tracking in Ensuring Your Web Application's Security
11 Jan 2023
What is continuous penetration testing? Benefits & implementation
web security
What is continuous penetration testing? Benefits & implementation
04 Jan 2023
Personal Data Protection bill explained with seven expert opinions
Compliance
Personal Data Protection bill explained with seven expert opinions
28 Dec 2022
Crucial Components for a Web Application Security Assessment
web security
Crucial Components for a Web Application Security Assessment
19 Dec 2022
Access Control Request Headers
HTTP headers
Access Control Request Headers
11 Dec 2022
XML Injection
XML Injection
XML Injection
06 Dec 2022
Top Black Friday and Cyber Monday SaaS Deals [2022]
Top Black Friday and Cyber Monday SaaS Deals [2022]
21 Nov 2022
Patch released for the critical OpenSSL vulnerability (CVE-2022-3602 & CVE-2022-3786)
openssl
Patch released for the critical OpenSSL vulnerability (CVE-2022-3602 & CVE-2022-3786)
02 Nov 2022
Beagle Security is now a CERT-In Empaneled Information Security Audit Provider
Press
Beagle Security is now a CERT-In Empaneled Information Security Audit Provider
29 Sep 2022
DomeCTF 2022
DOMECTF2022
DomeCTF 2022
26 Sep 2022
How CISCO got Attacked by Yanluowang Ransomware Gang
Cyber attacks
How CISCO got Attacked by Yanluowang Ransomware Gang
18 Aug 2022
Zero-Day Vulnerabilities in Web Applications
web security
Zero-Day Vulnerabilities in Web Applications
18 Jul 2022
How DevSecOps is a Key Enabler for Digital Transformation
DevSecOps
How DevSecOps is a Key Enabler for Digital Transformation
10 Jul 2022
OWASP top ten 2017
owasp
OWASP top ten 2017
04 Jul 2022
External redirection
External redirection
02 Jul 2022
Explore More