Padding Oracle Attack
Padding Oracle Attack
Overview of the Vulnerability
A cryptographic weakness was identified which can allow an attacker to use a padding oracle attack to derive the encryption key. This is due to the application revealing information during the decryption process about the validity of the padding data. This can allow an attacker to break the confidentiality of requests sent to and from the endpoint.
Business Impact
This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application.
Steps to Reproduce
Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
Setup {{software}} to intercept and log requests
Use a browser to navigate to: {{URL}}
{{action}} to view unencrypted requests
Proof of Concept (PoC)
The screenshot below demonstrates the padding oracle attack:
{{screenshot}}
Guidance
Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards. Please include specific details on where you identified the padding oracle attack, how you identified it, and what actions you were able to perform as a result.
Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).
Recommendation(s)
Implement robust entropy for the cryptographic algorithms and ensure that the algorithms, protocols, and keys in place are kept up to date. It is also best practice for applications to use nondescript error messages that do not vary between error types when decrypting user-supplied data.
For more information, refer to the following resource:
Last updated