Understanding the BREACH Attack and Content Length
The BREACH attack is a Side-Channel attack. You need some way to access the side channel.
On page 13 of the presentation, you can see what BREACH needs the attacker to set up:
-
A web server serving the site the browser visits.
-
A callback where the javascript on the victim’s browser notifies the attacker that the request completed, giving time information about when the packets with the currently tried string went through.
-
A MITM for monitoring the length of the sent packets.
So, in other words, you need access to the wire.