Pedictable Initialization Vector
Predictable Initialization Vector (IV)
Overview of the Vulnerability
Cryptographic algorithms use an initial block of data (called an initialization vector) alongside the plaintext data that is encrypted. When this IV is predictable, an attacker can identify the IV from the original data within the encryption.
Business Impact
This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application.
Steps to Reproduce
Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
Setup {{software}} to intercept and log requests
Use a browser to navigate to: {{URL}}
{{action}} to view unencrypted requests
Proof of Concept (PoC)
The screenshot below demonstrates the predictability of the initialization vector:
{{screenshot}}
Guidance
Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards. Please include specific details on where you identified the initialization vector reuse, how you identified it, and what actions you were able to perform as a result.
Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).
Recommendation(s)
Implement robust entropy for the cryptographic algorithms and ensure that the algorithms, protocols, and keys in place are kept up to date. It is also best practice to use different initialization vectors for multiple invocations of encryption routines to ensure they aren't predictable.
For more information, refer to the following resource:
Last updated