BEAST Attack
What is BEAST Attack?
BEAST AttackA 2011 chosen-plaintext attack on SSL 3.0 and TLS 1.0 CBC ciphers (CVE-2011-3389) by Rizzo and Duong that recovers HTTPS cookies via a predictable IV flaw.
BEAST (Browser Exploit Against SSL/TLS) was disclosed at Ekoparty 2011 by Juliano Rizzo and Thai Duong and tracked as CVE-2011-3389. SSL 3.0 and TLS 1.0 chain CBC initialization vectors across records: the IV for record N is simply the last ciphertext block of record N−1, so it is known to a network attacker before the next record is sent. This turns the encryption into a predictable-IV CBC scheme that is vulnerable to a blockwise-adaptive chosen-plaintext attack.
The practical exploit pairs a man-in-the-middle with attacker-controlled JavaScript (originally a Java applet, exploiting same-origin weaknesses) running in the victim's browser. The attacker aligns an unknown secret byte — say one byte of a session cookie — so it sits at the end of a CBC block, then guesses the byte: a guess is confirmed when the produced ciphertext block matches a previously observed one. By shifting the boundary one byte at a time, the full cookie is recovered in roughly 256 guesses per byte instead of 256^n.
Mitigations: TLS 1.1+ uses explicit, random per-record IVs and is immune; browsers shipped the 1/n−1 record split (sending one byte in its own record to randomize the next IV); RC4 was a stopgap until its own biases made it unsafe. The durable fix is TLS 1.2/1.3 with AEAD ciphers (AES-GCM, ChaCha20-Poly1305), which abandon CBC for record encryption.
flowchart TD
M[MITM observes TLS 1.0 CBC records] --> J[Attacker JS injects chosen plaintext]
J --> A[Align secret cookie byte at block boundary]
A --> G[Guess byte using prior ciphertext block as known IV]
G --> C{Ciphertext block matches?}
C -->|Yes| R[Byte recovered, shift boundary]
C -->|No| G
R --> D{Cookie complete?}
D -->|No| A
D -->|Yes| S[Session cookie stolen]● Examples
- 01
Recovering an authentication cookie from a TLS 1.0 banking site through a malicious Java applet.
- 02
Decrypting HTTP request headers byte-by-byte on a CBC-mode HTTPS session.
● Frequently asked questions
What is BEAST Attack?
A 2011 chosen-plaintext attack on SSL 3.0 and TLS 1.0 CBC ciphers (CVE-2011-3389) by Rizzo and Duong that recovers HTTPS cookies via a predictable IV flaw. It belongs to the Attacks & Threats category of cybersecurity.
What does BEAST Attack mean?
A 2011 chosen-plaintext attack on SSL 3.0 and TLS 1.0 CBC ciphers (CVE-2011-3389) by Rizzo and Duong that recovers HTTPS cookies via a predictable IV flaw.
How do you defend against BEAST Attack?
Defences for BEAST Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for BEAST Attack?
Common alternative names include: BEAST, Browser Exploit Against SSL/TLS.