CRIME (SSL/TLS) attack

Impact: Low

Description

CRIME (Compression Ratio Info-leak Made Easy) is a security exploit against secret web cookies over connections using the HTTPS and SPDY protocols that also use data compression. When used to recover the content of secret authentication cookies, it allows an attacker to perform session hijacking on an authenticated web session, allowing the launching of further attacks. ^Wikipedia

Recommendation

Disable SSL/TLS compression.

References

Wikipedia: CRIME
CWE-310
OWASP 2017-A3
OWASP 2021-A2
CVE-2012-4929
OWASP 2017-A9
OWASP 2021-A6

👉 You might also like:

CRIME (SPDY) attack - CVE-2012-4930

The POODLE attack - CVE-2014-3566

Secure Renegotiation is not supported - CVE-2009-3555

BREACH attack - Vulnerability

Last updated on April 04, 2021

CRIME (SSL/TLS) attack

Description

Recommendation

References

Use SmartScanner Free version to test for this issue