BIPI
BIPI

Padding Oracle Attacks: From CBC Theory to Cookie Decryption

Cybersecurity

Padding oracles are still alive in legacy stacks. We rebuild the CBC theory, walk through a session cookie decryption with padbuster, and show the AEAD migrations that finally close the door.

By Arjun Raghavan, Security & Systems Lead, BIPI · December 20, 2023 · 11 min read

#padding-oracle#cbc#crypto#pentesting#aead

Why padding oracles still exist

AES-CBC with PKCS7 padding is everywhere in legacy auth tokens, viewstate, encrypted query parameters, and homegrown session cookies. If the server tells the attacker, in any way, whether decryption padding was valid, the entire ciphertext can be decrypted byte by byte. The leak can be a status code, a response time, or an error string.

The math in one paragraph

CBC decrypts each block then XORs with the previous ciphertext block. The attacker controls the previous block. By flipping bytes and observing whether the server accepts the padding, the attacker recovers the intermediate state. XOR that with the original ciphertext block and you get plaintext. No key needed.

Discovery checklist

  • Identify tokens that decode as base64 with length divisible by 16
  • Flip the last byte of the second to last block, observe response change
  • Different error pages, different status codes, or measurable timing differences all qualify as oracles
  • Test viewstate, encrypted cookies, password reset tokens, license keys

Tooling

padbuster is the original tool, still effective on most simple oracles. PadBuster.NET targets ASP.NET viewstate. python-paddingoracle library lets you write custom oracles when the response signal is non standard. Burp Intruder can drive the attack manually.

Walkthrough

  1. Capture an encrypted cookie, base64 decode, confirm 16 byte alignment
  2. Send 256 variants of the cookie with the last byte of block N minus 1 flipped
  3. Note which variant returns the no error response, that byte yields the last plaintext byte of block N
  4. Iterate for every byte in every block, full decryption typically completes in minutes

Famous CVEs

POODLE on SSL 3.0, Lucky Thirteen on TLS, BEAST on TLS 1.0, all flavors of CBC oracle. Application layer examples include ASP.NET CVE-2010-3332, Ruby on Rails CVE-2019-5418 was a different bug but it raised awareness, and countless homegrown auth schemes that wrap base64 of AES-CBC of JSON.

Detection

  • Bursts of requests with malformed tokens from a single client
  • Response size variance on the same endpoint correlated with cookie manipulation
  • Repeated padding error log entries in app server logs

Remediation

  1. Migrate to AES-GCM or ChaCha20-Poly1305, drop CBC entirely
  2. If CBC must stay, use encrypt then HMAC-SHA256 with constant time verify
  3. Return identical responses for any decryption failure, including timing
  4. Rotate keys often, log and alert on padding errors above a small threshold
~120 bytes
Cookies decrypted per minute by padbuster on average oracle
~22%
Legacy apps still on CBC plus length only check
Padding errors are not a bug, they are a teaching feature for the attacker.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.