BREACH (CVE-2013-3587)
BREACH is the CRIME-style compression side-channel attack that targets HTTP-level gzip compression instead of TLS compression.
Definition
BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext, CVE-2013-3587) is an extension of CRIME to HTTP-level compression. When an HTTPS response body is gzip-compressed and contains a secret (a CSRF token, a session cookie reflection), an attacker who can inject chosen plaintext into the same response can recover the secret one byte at a time. Mitigations are application-level: don't compress secrets, randomise response length, or rotate tokens per-request.
Mitigation
Don't reflect secrets in HTTP responses. Don't gzip-compress responses that contain secrets. Add random-length padding to compressed responses.