Home

Awesome

Padding Oracle Hunter

License

Padding Oracle Hunter is a Burp Suite extension that helps penetration testers quickly identify and exploit the PKCS#7 and PKCS#1 v1.5 padding oracle vulnerability.

Features

Currently, the extension consists of 2 separate tabs PKCS#7 and PKCS#1 v1.5, which support the following functionalities:

PKCS#7

The following GUI can be used to identify and perform the padding oracle attack targeting the PKCS#7 padding scheme on CBC block cipher. The attack allows plaintext recovery and modification without knowing the key. picture

The components of the GUI (above) are as follows:

  1. Http request window.
  2. Panel to select the payload and its format. The selected payload is expected to be either in the format of IV || ciphertext or ciphertext. If only ciphertext is selected, IV must be provided to achieve full decryption.
  3. The number of threads used to perform the attack. With more threads, the computation is expected to be faster.
  4. The block size of the encryption protocol.
  5. The unique response from the server (partial or full) due to valid or invalid padding. Only used in the encryption and decryption operations.
  6. The plaintext which will be used to compute the ciphertext. Only used in the encryption operation.
  7. The IV which will be used for decryption operation. If it is empty, the first block of the selected payload will be the IV.
  8. Output window.
  9. Test function to verify whether the server is vulnerable to PKCS#7 padding oracle attack.
  10. Encrypt function to compute the ciphertext from the given plaintext.
  11. Decrypt function to recover the plaintext from the encrypted payload.
  12. Stop function to halt all the current operations.

PKCS#1 v1.5

The following GUI can be used to identify and perform the padding oracle attack targeting the PKCS#1 v1.5 padding scheme on RSA Cryptosystem. The attack allows the plaintext to be recovered with only the public key information. picture

The components of the GUI (above) are as follows:

  1. Http request window.
  2. Panel to select the payload and its format.
  3. The RSA public exponent.
  4. The RSA public modulus.
  5. The unique response from the server (partial or full) due to valid or invalid padding. Only used in the decryption operation.
  6. Interval to display the decryption results.
  7. Output window.
  8. Test function to verify whether the server is vulnerable to PKCS#1 v1.5 padding oracle attack.
  9. Decrypt function to recover the plaintext from the encrypted payload.
  10. Stop function to halt all the current operations.

Prerequisites

Installation

Burp

Test Vulnerable Server

Usage

PKCS#7

  1. Go to the test server endpoint at http://ServerIP:8000/TestAesPKCS7 with the following POST request and notice we login as a normal user. picture

  2. Pipe the request through Extensions -> Padding Oracle Hunter -> PKCS#7 picture

  3. Select the ciphertext value in the Request window, click Select Payload with Hex format, and Url Encoded uncheck. The payload will be enclosed within the § symbol.

  4. Click the Test button, and it will provide a summary indicating the server is vulnerable to padding oracle attack. picture

  5. Copy either part/full of the padding response from the Output window and put it in the Padding Response textbox. You can choose to use either the valid or invalid padding response. Click the Decrypt button to recover the plaintext. picture picture

  6. In order to escalate the privilege to admin, we will need to modify the plaintext to {"userid":"100","isAdmin":"True"} and convert it to a hexadecimal value. picture

  7. Copy the hexadecimal value to the Plaintext textbox and click the Encrypt button to compute the corresponding IV || ciphertext. picture

  8. Update the http request with the newly computed ciphertext and send the request to the server. Notice that we are now login as an admin. picture

PKCS#1 v1.5

  1. Go to the test server endpoints at http://ServerIP:8000/TestRsaPKCS1_5 with the following POST request. picture

  2. Pipe the request through Extensions -> Padding Oracle Hunter -> PKCS#1 v1.5 picture

  3. Select the ciphertext value in the Request window, click Select Payload with Hex format, and Url Encoded uncheck. The payload will be enclosed within the § symbol.

  4. Fill in the public key parameters with public exponent: 65537 and modulus: 91150209829916536965146520317827566881182630249923637533035630164622161072289

  5. Click the Test button, and it will provide a summary indicating the server is vulnerable to padding oracle attack. picture

  6. Copy either part/full of the padding response from the Output window and put it in the Padding Response textbox. You can choose to use either the valid or invalid padding response. Click the Decrypt button, and the plaintext will be recovered at about 50k requests. picture picture

Contributing

contributions welcome

Submitting changes

Please send a GitHub Pull Request to us with a clear list of what you have done and the potential impact to the tool if there is any.