Padding Oracle Attack

The padding oracle attack allows to decrypt a message that has been intercepted if the message was encrypted using CBC mode.

- Padbuster

PadBuster is a Perl script for automating Padding Oracle Attacks. PadBuster provides the capability to decrypt arbitrary ciphertext, encrypt arbitrary plaintext, and perform automated response analysis to determine whether a request is vulnerable to padding oracle attacks.

First of all we log into the website and copy our cookie session.

Then:

padbuster https://example/login.php "Cookie" bytes -cookie "name of the cookie=cookie" -encoding 0

Then, lookig at the output, we should enter an ID matching with the error condition (one that has **):

Once we notice that is vulnerable we add to the command -plaintext "user=admin" to get the admin cookie value:

padbuster https://example/login.php "Cookie" bytes -cookie "name of the cookie=cookie" -encoding 0 -plaintext "user=admin"

Once we obatin the cookie for the user "admin", we can leverage a PassTheCookie Attack, for example, using EditThisCookie firefox addon.

- Bit Flipper Attack

First of all, in Burp Suite > Miscellaneous, we should check the "Dont send itens to Proxy history or live tasts, if out of scope".

Then we should add the scope and clear the history.

Once that setted up, we register with an username similar to admin (badmin for example)

After that we intercept with burp suite and send it to the intruder

Then we select the cookie parameter (after the =), add it as a variable for the attack and then, select Sniper attack type, then bit fliper attack in payloads

After the attack we can see the admin cookie.