Tuesday, June 8, 2010
Padding Oracle Exploit Tool
Two researchers have released a tool which can be used to crack web server-encrypted session data contained in cookies and parameters hidden in HTML pages. The method used by Juliano Rizzo and Thai Duong's Padding Oracle Exploitation Tool (Poet) can also be used to crack CAPTCHAS.
Poet utilises the Padding Oracle Attack, first discovered in 2002, to decrypt cypher block chaining (CBC) mode encrypted data without the key. Web applications such as those generated using the popular JavaServer Faces framework (JSF) are affected.
The Padding Oracle Attack makes use of the fact that during encryption individual blocks must always be 8 or 16 bytes long. In order to meet this requirement it is usually necessary to pad out the final block with additional bytes. There are various methods of performing this padding, some of which facilitate cracking. This is where Padding Oracle – essentially a program or service which uses a status message to indicate whether the padding in a received packet is valid – comes into play. This is exactly what the JSF framework does.
Download and demo: http://netifera.com
Source: Tool for cracking encrypted session data