Stack Overflow
Stack Overflow

Questions tagged [padding-oracle-attack]

A Padding Oracle Attack exploits ciphertext decryptor to recover the plaintext by sending multiple manipulated ciphertexts. Use the [poodle-attack] if your question is explicitly about POODLE. If your question isn't directly related to programming/software dev, you should better ask it on security.stackexchange.com for general questions and on crypto.stackexchange.com for details about the cryptography behind it.

A Padding Oracle Attack exploits ciphertext decryptor which distinguishes between wrong padding and failed decryption (oracle). It can recover the plaintext from the ciphertext by sending multiple manipulated ciphertexts to the oracle.

One of the notable examples of this attack is the POODLE attack against SSLv3 and TLS 1.0-1.2.

19 questions
192
votes
10 answers

How serious is this new ASP.NET security vulnerability and how can I workaround it?

I've just read on the net about a newly discovered security vulnerability in ASP.NET. You can read the details here. The problem lies in the way that ASP.NET implements the AES encryption algorithm to protect the integrity of the cookies…
Venemo
  • 18,515
  • 13
  • 84
  • 125
13
votes
3 answers

Which padding is used by javax.crypto.Cipher for RSA

I need to decrypt messages via RSA in order to send it over an unsecured channel, but I'm afraid of the Padding Oracle Attack. Therefore I already have asked the follwoing questions: How to verify the integrity of RSA encrypted messages? How to…
My-Name-Is
  • 4,814
  • 10
  • 44
  • 84
6
votes
6 answers

Oracle padding exploit - how does it download the web.config?

I know there are already a few questions on SO about the oracle padding exploit but none of them explain how it downloads the web.config. I run a couple of ASP .NET apps which I have already tested using Microsoft recommended mitigation factors but…
Alex
  • 34,776
  • 10
  • 53
  • 68
4
votes
1 answer

Is this code vulnerable to a padding oracle attack?

Is the following code vulnerable to a padding oracle attack, because it will return if the padding is valid or not (CBC, PKCS#7)? The code is taken directly from Microsoft's webpage and can be run easily on a online compiler like…
cryptisloveifcandecrypt
  • 41
  • 5
3
votes
2 answers

Example of an asp.net application vulnerable to the Padding Oracle Attack?

Does anyone could put me a very basic example of an asp.net web application which is vulnerable to the padding oracle attack.
Robie
  • 305
  • 1
  • 3
  • 7
2
votes
0 answers

issue setting up recursive function in python (first time using python)

I have written this little function for a padding oracle CTF and gotten lost along the way, could someone help? I am trying to update a bytestring byte by byte from the back. Howvever when I run it it does it from the front newbyte: looks like…
Arwa Lucky
  • 19
  • 4
2
votes
1 answer

Preventing "padding oracle" attack if data is streamed or too large for HMAC?

I know that the best solution against the padding oracle attack is to wrap and append a HMAC to the complete encrypted message. But what other solutions are there? What if my data is so large that I need to stream it? I can check the HMAC at the…
Christian
  • 2,903
  • 4
  • 31
  • 34
2
votes
1 answer

How to handle padding errors in pkcs11?

I'm wondering how C_DecryptFinal & C_Decrypt are supposed to deal with padding errors. According to pkcs11 2.20, C_DecryptFinal can return CKR_ENCRYPTED_DATA_INVALID or CKR_ENCRYPTED_DATA_LEN_RANGE, so I suppose that if padding is invalid,…
klook
  • 41
  • 2
2
votes
1 answer

Altering the Last Byte of a String

I'm working on a Padding Oracle attack and which involves altering an IV and sending it back with a HTML post request. The simple version is that I'm trying to alter the last byte of a string....and I think I might be doing it wrong. First we start…
OneManRiot
  • 941
  • 3
  • 8
  • 22
1
vote
1 answer

Python Padding Oracle breaking script seems to be undefined?

I am tying to write a very simple script that will Just decrypt one byte of text according to this formula P′2[K] = Pn[K] ⊕ Cn-1[K] ⊕ C′[K] the oracle is a simple function that decrypt then check last byte to be equal to padding 0x15. with p'2[k] is…
KMG
  • 1,433
  • 1
  • 8
  • 19
1
vote
3 answers

Is Padding Oracle Attack possible with always 200 OK response

I currently perform penetration testing of ASP.NET application and trying to exploit Padding Oracle Attack. This AFAIK is based on response code analysis, but both ScriptResource and WebResource axds of the system under test always respond with 200…
p0deje
  • 3,903
  • 1
  • 26
  • 37
1
vote
1 answer

What is the meaning of the name Lucky Thirteen?

From the article Lucky thirteen: Breaking the TLS and DTLS record protocols‏: The details of which specific attacks are possible depends on the exact size of MAC tags output by the MAC algorithm negotiated by the Handshake Protocol, and also on…
alond22
  • 65
  • 6
1
vote
1 answer

Thread.Sleep in aspx error page. Why?

In this advisory concerning the oracle padding exploit, Microsoft posted the following recommended error page: <%@ Page Language="C#" AutoEventWireup="true" %> <%@ Import Namespace="System.Security.Cryptography" %> <%@ Import…
spender
  • 117,338
  • 33
  • 229
  • 351
1
vote
2 answers

Is it vulnerable to ASP Padding oracle

When I open chat.mysite.com/WebResource.axd?d=jzjghMVYzFihd9Uhe_arpA2 It gives me: Padding is invalid and cannot be removed. When I open chat.mysite.com/WebResource.axd?d=acunetix It gives me: Invalid viewstate. When I open …
Jagex Online
  • 7
  • 6
0
votes
0 answers

Can a get request parameter's ciphertext have a number of bytes that is a non-integer multiple of 16 in AES-128?

I have been studying encryption/decryption and most recently the padding oracle attack. Now, in my studies, I have come across a URL that looked something like this: http://(some…
Rikudou
  • 145
  • 6
1
2