In this hands-on talk, we will introduce new targeted techniques and research that allows an attacker to reliably retrieve encrypted secrets (session identifiers, CSRF tokens, OAuth tokens, email addresses, ViewState hidden fields, etc.) from an HTTPS channel. We will demonstrate this new browser vector is real and practical by executing a PoC against a major enterprise product in under 30 seconds. We will describe the algorithm behind the attack, how the usage of basic statistical analysis can be applied to extract data from dynamic pages, as well as practical mitigations you can implement today. We will also describe the posture of different SaaS vendors vis-à-vis this attack. Finally, to provide the community with ability to build on our research, determine levels of exposure, and deploy appropriate protection, we will release the BREACH tool.
Angelo Prado is a Lead Product Security Engineer at Salesforce.com. He has worked as a software and security engineer for Microsoft and Motorola. Angelo has been involved with the security community for over 8 years, and he has spoken at Georgetown University (Washington, D.C.), Comillas University (Madrid) and Coruña University (Galicia, Spain). Angelo holds a Master's degree in Computer Science from Universidad Pontificia Comillas, Madrid and has also attended University of Illinois at Urbana-Champaign. His passions & research include web application security, windows security, browsers, malware analysis and Spanish Jamón.
While studying pure math in school, I dipped my toes into the world of security by spending summers doing cryptanalysis. After stumbling through a PhD at UC San Diego, I left academia to pursue a full-time career breaking things, and helping developers make things that are harder to break.
Yoel Gluck is a security researcher with 12 years of experience in the industry. He is currently a Lead Product Security Engineer at Salesforce.com. Yoel graduated from Bar-Ilan Unisversity (Israel) with a B.Sc in Computer Science and Math. Using his experience as a software engineer, he attempts to break applications by analyzing developer design patterns. His research areas include web application, network, virtualization, encryption, and email security. When he's not busy analyzing security risks, he enjoys spending time with his two-year-old daughter.