[WEB SECURITY] Oracle Padding and Exploitation
Daniel "unicornFurnace" Crowley
dan.crowley at gmail.com
Sat Apr 28 02:20:53 EDT 2012
First off, my anal retentive side simply *MUST* correct you: It's
An "oracle" is a system which provides answers to specific types of
questions. In cryptography, there is a concept of "padding", extra
data appended to the unencrypted message to satisfy the length
requirements of a block cipher, which requires that data it is
encrypting is to be of a certain length.
A padding oracle normally only will reveal if an encrypted message,
when decrypted, is properly padded.
Vaudenay presented at EUROCRYPT that with PKCS#5 padding, a padding
oracle can actually be used as a decryption oracle, given the ability
to make lots of submissions to the padding oracle. This allows us to
decrypt arbitrary data using a padding oracle.
Thai Duong and Juliano Rizzo applied this theoretical attack in a
practical way: against Web applications. They also presented a way of
using padding oracles as encryption oracles, allowing encryption of
The ASP.NET framework not only had padding oracle flaws, it used
PKCS#5 padding, reused keys between different parts of the
application, and provided a mechanism for disclosing file contents for
any file name you could encrypt.
While PadBuster is a generic tool for exploiting padding oracle flaws
where PKCS#5 is used, the most well-known example is in old versions
of the ASP.NET framework. Many people are under the mistaken
impression that this flaw is exclusive to ASP.NET, when it is not.
Now that I've satisfied the pedantic side of me, here's the
information you've actually asked for:
This blog post explains the usage of padbuster.pl against a vulnerable
installation of ASP.NET. It's been very helpful for me and for other
people I've spoken with in the past. Feel free to contact me directly
with questions about its usage.
"All the forces in the world are not so powerful as an idea whose time
has come." - Victor Hugo
More information about the websecurity