Typescript Insecure Gzip Algorithm
Description
Detects the use of potentially insecure compression algorithms in webpack configurations through the compression-webpack-plugin. Insecure compression settings in web applications can expose them to BREACH/CRIME-like attacks that may lead to information disclosure.
Detection Strategy
• Identifies imports or requires of the 'compression-webpack-plugin' package in the codebase
• Analyzes webpack configuration files for compression plugin usage and settings
• Reports a vulnerability when compression-webpack-plugin is configured with potentially insecure compression options
Vulnerable code example
import CompressionPlugin from "compression-webpack-plugin";
// Vulnerable: Uses default compression settings without security parameters
new CompressionPlugin({
filename: "[path][base].gz",
algorithm: "gzip",
test: /\.js$|\.css$|\.html$/,
threshold: 10240,...✅ Secure code example
const zlib = require('zlib');
import CompressionPlugin from "compression-webpack-plugin";
// Secure: Uses Brotli with explicit security parameters and quality settings
new CompressionPlugin({
filename: "[path][base].br",
algorithm: "brotliCompress", // More secure and efficient compression algorithm
test: /\.(js|css|html|svg)$/,...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.