Dot net Core API Compression risk of CRIME and BREACH attacks

Shreyansh Jain 1 Reputation point

I am working on Dot Net core 6 controller based apis with Azure AD token based authorization. In every request I expect access token from client and then I validate the token if valid only then I allow to access the api.

I used ResponseCompression middleware in my api response so Please let me know is there any risk of CRIME and BREACH attacks?

Please help me here.

A set of technologies in the .NET Framework for building web applications and XML web services.
4,118 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Zhi Lv - MSFT 32,006 Reputation points Microsoft Vendor

    Hi @Shreyansh Jain ,

    From the ResponseCompression middleware document, we can see that using there doesn't has any description about the security risk when using the ResponseCompression middleware. But the performance of the response compression middleware probably won't match that of the server modules. HTTP.sys server and Kestrel server don't currently offer built-in compression support.

    Compressed responses over secure connections can be controlled with the EnableForHttps option, which is disabled by default because of the security risk. Using compression with dynamically generated pages can expose the app to CRIME and BREACH attacks. CRIME and BREACH attacks can be mitigated in ASP.NET Core with antiforgery tokens. For more information, see Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core.

    If you found there has any risk attacks using the ResponseCompression middleware. You can submit a feedback about it by clicking the button at the bottom of the document.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,

    0 comments No comments