Testing BREACH attack using BURP SUITE

The objective of this post is NOT to tell what breach attack‍ is. I believe there are n number of blogs/posts from where you can learn about the same in depth. The only purpose is to share steps that we should keep in our mind while testing our web applications for this vulnerability‍ using burp suite‍.

What I have seen in past is that many new pen-testers‍ are making mistakes while testing this issue‍ . So I have created an application‍ (both vulnerable‍ and secure‍ ) to demonstrate the steps in a very simple and basic way.

As we all know there are three conditions that should be true for an application to be vulnerable for BREACH attack. These conditions are:-

“Content-Encoding: gzip,deflate” should be present in response‍ header.
Some sensitive information‍ should be present in response body that attacker wants to steal.
Any user controlled parameter should reflect back in response.
MISTAKE 1 :- Not changing the BURP’s default setting

By default, burp has setting enable to unpack the gzip response. If we don’t change this setting, we will see the unpacked data in response tab. This setting can be found in 2 places:-