Hello, I was running SSL Labs scans against our web service and website. Does the scan detect BREACH vulnerability? If not, what could I use to detect this?
SSL Labs does not support detecting BREACH.You can checkout BREACH's POC here
Since it is a compression side-channel attack similar to the CRIME attack for which SSL Labs checks the compression. It is recommended to not use compression in order to mitigate BREACH.
Blog reference - https://blog.qualys.com/ssllabs/2013/08/07/defending-against-the-breach-attack
Specifically, you would disable SSL/TLS compression to mitigate CRIME and you would disable HTTP compression to mitigate BREACH.
Note, disabling HTTP compression site wide will decrease the performance of your site. It is probably not the solution you are looking for. The authors of the BREACH ATTACK website offer up seven different mitigation options.
Also, see this previous thread where other mitigation strategies where discussed. BREACH mitigation
Retrieving data ...