BREACH attack
Published Aug 09, 2013
Version 1.0Was this article helpful?
1. Add an iRule which hooks HTTP_REQUEST and HTTP_RESPONSE. On HTTP_RESPONSE the iRule should prepend a timestamp to the value element of each Set-Cookie header the webserver sends, and on HTTP_REQUEST the iRule should remove that timestamp (if present [fn1]) from each value in an incoming Cookie header. The reason for all this is just to make sure the values differ from one request/response to another.
2. Enable 'Encrypt Cookies' in the HTTP Profile for all the cookies. Since the cookies will differ per Step 1, they will be encrypted to different "random-looking" values on each response/request. This completely stymies BEAST-like attacks.
[fn1] Some web applications expect Javascript to read or write cookies. Such behaviour may be incompatible with the LTM modifying and/or encrypting cookie contents (even though the changes are temporary and invisible to the webserver).