CVE-2013-3587 (BREACH) attack detected in API Gateway.

All supported versions of API Gateway

CVE-2013-3587 (BREACH) is a compression side-channel attack that targets the combination of HTTPS, HTTP-level response compression, and reflected user input containing secrets. It is not a vulnerability in the Layer 7 API Gateway itself, but rather a class of attack that exploits a specific interaction between TLS encryption and HTTP compression at the protocol level.

All three of the following conditions must be true simultaneously for BREACH to be exploitable:

1. Responses are served over HTTPS (TLS)
2. HTTP-level compression (gzip/deflate) is enabled on the response body
3. The response body contains both attacker-controllable (reflected) input and a static secret (e.g., CSRF token, session ID, ...)

If any one of these conditions is removed, the attack is not feasible. 
 

The Gateway supports globally disabling HTTP compression on response bodies, by setting the "response.compress.gzip.allow=false" cluster wide property. This eliminates condition #2, entirely and is the most direct and complete mitigation against BREACH. This can be verified by confirming that responses no longer include a Content-Encoding: gzip header. 

Set the following CWP "response.compress.gzip.allow=false" and re-run VA scan.