Javascript Insecure Gzip Algorithm
Description
Detects insecure compression algorithm configurations in webpack applications using compression-webpack-plugin. Improper compression settings can lead to security vulnerabilities like BREACH attacks, where attackers can exploit compression to recover sensitive data from encrypted traffic.
Detection Strategy
• Search for imports or requires of 'compression-webpack-plugin' in project dependencies
• Analyze webpack configuration files for compression plugin usage
• Check compression algorithm settings in plugin configuration
• Report vulnerability when potentially insecure compression settings are detected in webpack configurations
Vulnerable code example
const CompressionPlugin = require("compression-webpack-plugin");
// Vulnerable: Uses insecure gzip compression algorithm
new CompressionPlugin({
filename: "[path][base].gz",
algorithm: "gzip", // Security risk: gzip compression is vulnerable to BREACH attacks
test: /\.js$/,
threshold: 10240...✅ Secure code example
const CompressionPlugin = require("compression-webpack-plugin");
const zlib = require("zlib");
// Safe: Uses brotli compression which is resistant to BREACH attacks
new CompressionPlugin({
filename: "[path][base].br",
algorithm: "brotliCompress", // Using secure brotli compression instead of gzip
test: /\.js$/,...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.