Probably the most interesting characteristic of this vulnerability is that it removes the need for a “man-in-the-middle” position. Until now, this compression-based exploit required the attacker to be able to actively manipulate the traffic passing between the Web server and end user. One of the researchers who discovered this exploit said it like this: “Before, the attacker needed to be in a Man-in-the-Middle position to perform attacks such as CRIME and BREACH. Now, by simply visiting a website owned by a malicious party, you are placing your online security at risk.”
The most damaging aspect of HEIST is found by exploiting BREACH, as it allows the attacker to read out CSRF tokens. Depending on the functionality offered by the website, knowing the CSRF token could allow the attacker to take over the complete account of the victim.
The simple solution to all this is to tell users to never visit a website owned by a malicious party, right? Yeah, right. So, what can you do to mitigate this vulnerability?
Fortunately, the BIG-IP offers several countermeasures to help protect from this HEIST vulnerability. Because HEIST relies on compression attacks like CRIME and BREACH, the first countermeasure is to disable HTTP compression on user input pages. Static content can still be compressed, though.
Next, configure your BIG-IP ASM for CSRF protection. One of the ways BIG-IP ASM mitigates CSRF attacks is by adding a random CSRF token to every URL. For example, if an HTML response page contains the following URI reference:
The BIG-IP ASM (with CSRF protection enabled) will rewrite the URI reference to appear similar to the following:
This token cannot be guessed in advance by an attacker and therefore makes the CSRF attack almost impossible.
The BIG-IP ASM also has a domain cookie protection feature. If an attacker were to use HEIST (or some other exploit) to get the authentication cookie, he must also obtain the rotating ASM cookie that contains a signature of all the other cookies.
It’s a scary world out there, but it’s a little less scary when the BIG-IP is protecting your critical web applications!