Skip to content

Source code for a Padding Oracle attack demonstration - vulnerable API and cracking code. C#, ASP .NET

Notifications You must be signed in to change notification settings

alunmj/PaddingOracle

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

PaddingOracle

Source code for a Padding Oracle attack demonstration - vulnerable API and cracking code. C#, ASP .NET

This was written after a hacking challenge (CTF / "Hackathon") at work.

Build the WebAPI project, then run it without debugging, so that you can then debug the PadOracle project against it.

Change the string as you want, to discover how well it does/doesn't work. Try to throw the algorithm off.

See if there are any optimisations you can think of. It's still very slow, perhaps.

Command line arguments are now added in the PadOracle program:

PadOracle <url> -c <cipher-reg> [-i <iv-reg>] [-iv0] [-b <blocksize:16>] [-t <encoding:b64|b64URL|hex|HEX>] [-v] [-p <parallelism:-1|1>] [-x <exception text>] [-h]
  <cipher-reg>: a regex matching the entire ciphertext in the <url> parameter
  <iv-reg>: a regex matching the initialisation vector in the <url> parameter, if separate
  <blocksize>: blocksize in bytes. Defaults to 16.
  <encoding>: The encoding of the ciphertext. b64 = base64, URL encoded; b64URL = base64 URL safe (/, +, =, replaced with !, -, ~); hex / HEX - hexadecimal encoded, lower / upper case.
  <parallelism>: How parallel do you want it? 1 is for 1 thread, so you can watch it work. -1 is for max parallel, more speed. Defaults to -1.
  <exception text>: The text you expect to see in a 200 HTTP response when the request caused a padding error. If left out, PaddingOracle will guess from the first 30 characters of the 200 HTTP response to the URL you provided, assuming everything else is a padding error. This is not always successful.

About

Source code for a Padding Oracle attack demonstration - vulnerable API and cracking code. C#, ASP .NET

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages