CVE-2012-4929
Thai Duong, Juliano Rizzo
The attacker wants to steal the cookies from a user on victim.example.com.
The user is tricked into visiting the attacker's website. The attacker's website makes several requests to the victim site. Although the attacker can't read the user cookies on the victim's site, the browser will automatically include them on the request. The browser will then compress the request (which contains the user's cookies and the URL specified by the attacker) and then encrypt it and send it. The attacker is not able to read the request or the cookies at this point (because they are encrypted), the attacker can only know the size of the request (because the browser doesn't hide the request size from the attacker).
Since the attacker controls some of the data in the request (the URL, for example), the browser will compress the attacker-supplied data together with the secret cookies. As a result, the attacker can guess the value of the cookie (byte by byte), and if the guess is correct, when compressing the request the compression algorithm will detect the value is repeated, and compress it, making the request size smaller, and when the value is wrong, it won't compress (and the request size will be larger). Since the attacker can observe the request size, the attacker can deduce if his guess was right or not and repeat.
Thai Duong, Juliano Rizzo
The attacker wants to steal the cookies from a user on victim.example.com.
The user is tricked into visiting the attacker's website. The attacker's website makes several requests to the victim site. Although the attacker can't read the user cookies on the victim's site, the browser will automatically include them on the request. The browser will then compress the request (which contains the user's cookies and the URL specified by the attacker) and then encrypt it and send it. The attacker is not able to read the request or the cookies at this point (because they are encrypted), the attacker can only know the size of the request (because the browser doesn't hide the request size from the attacker).
Since the attacker controls some of the data in the request (the URL, for example), the browser will compress the attacker-supplied data together with the secret cookies. As a result, the attacker can guess the value of the cookie (byte by byte), and if the guess is correct, when compressing the request the compression algorithm will detect the value is repeated, and compress it, making the request size smaller, and when the value is wrong, it won't compress (and the request size will be larger). Since the attacker can observe the request size, the attacker can deduce if his guess was right or not and repeat.
